It seems that for many years , actually probably forever, security professionals have behaved in a totally reactive way when it come to data breaches. For example, if a breach was identified and it was determined that it was an issue with user education then the team would try to educate the user. This whole model is flawed as we are behaving and acting like victims because we really can’t see the who, what, when, where and why of attacks that we are going to be targeted with. We need to move from defense to offence when it comes to protecting ourselves.
To be in the mindset of an attacker you need to have answers to the following fundamental questions:
- What are you most valuable assets? Where are these assets? How can they be accessed?
- If you were the attacker how would you spread malware? And who are the most ‘vulnerable’ targets in the organization?
- Do you have a view on the ‘normal’ behavior of your organization (people, behavior, locations and systems)?
As outlined in my previous blogs these questions aren’t new questions, they are the absolute basics of any sound security program yet we seem to get them wrong all the time and fall victim to attacks. So, it’s time to get on the offensive….
Here’s a quote from Sun Tzu, the ancient Chinese warrior general who even in those days understood really sound security strategies:
‘It has been said before that he who has known both sides has nothing to fear in a hundred fights; he who is ignorant of the enemy, and fixes his eyes only on his own side, conquers, and the next time is defeated, he who not only is ignorant of the enemy, but also of his own resources, is invariably defeated.’