As a young lieutenant in the Marine Corps. I was surprised at the amount of time we spent learning offensive tactics versus defensive tactics. Through my training and experience I learned that my best approach to defense was an offensive mindset.
As a CIO for more than 30 years, I’ve approached security the same way. I would rather be offensively than defensively prepared. Some time ago I began working at a company that was experiencing a four-day DDoS (Denial of Service Attack). I joined on the third day of the attack and found the company to be ill-prepared for a DDoS, much less a basic hack. They were using home quality switches, had extremely low-quality firewalls, with no one on the staff who had firewall expertise, lacked load balancers that would have allowed them to build a defense in depth, and they never audited their own security. In short their strategy was hope, which isn’t a strategy.
“If you do get hacked or successfully attacked, make sure that everyone who needs to know, knows—all of the details. Including where you failed”
I’ve learned, many times the hard way, that security relies on pre-planning, measuring yourself—critically through internal audits—and spending the money required to ensure that you’ve got the right hardware, services, expertise and procedures in place to build a defense in depth.
For example, a content delivery network is not designed to function as a security structure, it is a very effective tool in combating attacks against your network, defeating a DDoS, giving you alternative routes and, in particular, giving you the best chance to stay ahead of the attacker’s bot’s.
In general, I always follow these rules:
1. Conduct a SWOT (Strengths, Weaknesses, Opportunities and Threats) when you first take the helm and at least quarterly thereafter. This enables you to continually assess your ability to withstand a security attack and will give you a high-level approach to and understanding of where you stand.
2. Conduct internal audits. In addition to your required audits (general computer controls, personal identifiable information, HIPAA, etc.), each year I conduct four quarterly internal audits. Two of these are conducted by my security team and two are completed by an external security service company. However, I make it clear to the company that I hire to audit my organization that I will take action on those issues that they find, but I won’t hire them to do the work. Their only opportunity is the audit itself. By doing this I ensure that there is no doubt about the veracity and quality of the audit. I also don’t use the same company twice in a row, which allows me to look at my systems and procedures through a variety of eyes.
3. Budget for security. A breakdown of your security envelope can cost your company millions, or can even destroy it. It’s well worth investing in those structures, services and hardware that can save your company. You do the same for your house by installing locks on the doors and windows, buying security systems, etc. However, don’t assume that the CFO will take your word or your logical explanation. Spend the time preparing a presentation that includes real-world examples of why you need to upgrade your firewalls, hire that additional security engineer or pay for those audits.
4. Focus on training, learning and teaching. These activities should always be ongoing. You can’t stop learning, because the threat is continually changing. Your business can never stop learning because of the previous threat comment and your business is constantly changing. You can never stop teaching because there are always new people or information. You’ll find that the more you teach, the more you learn. Pass the responsibility around to your subordinate leaders. Allowing them to teach will increase their knowledge as well.
A basic defense in depth starts with your network. If you’re an Internet company, seriously consider the advantages that a CDN gives you. In addition to extending your network, it allows you the ability to adjust and control your network on the fly. Every security system is anchored by a firewall. There are now a variety of options to include cloud-based firewalls, almost as many options as there are companies. It’s essential to select the right option for your company. If you decide to use an on-premises option, ensure that you include a firewall engineer for your staff. You can use contractor support to meet this requirement, but for such a critical piece of my network I prefer to hire my own employee who can manage my firewall while also keeping abreast of changes and new approaches to firewalling, cross training the rest of my engineering staff, participating in planning sessions, and participating as a key member of my security team.
A variety of security modules are available. I’ve used the F5 AWS with great results. It is a robust application and works in concert with my firewall. Many security applications do the same thing, and most work in concert with your firewall. This is a system that requires planning and engineering to ensure that it is well designed, supportable and works as a unified approach to network security. Additionally, there are a variety of companies that provide security services similar to the F5 AWS, which give you the ability to manage, monitor, gain early warning and control an attack, instead of reacting to an attack. A coordinated, consolidated attack on your business will take all of your attention, your team’s efforts and your supporting partner consultancies to beat back the hackers.
Post-attack you’ll need to conduct a full audit, not only to assess the damage but also to determine if the attackers took any other actions while you were distracted fighting the battle. An attack can be a ruse to plant a Trojan in your system to steal your data, making it look like normal traffic patterns. Be aware of any change or loss of data after an attack. Paranoia is the appropriate response once the attack stops. Assume the worst until you prove that there is no further damage taking place.
Always be on the lookout for external threats and internal vulnerabilities. You can’t afford to take a defensive approach. By taking the offensive, you’ll make your company a less inviting target. Finally, bad news never gets better with time. If you do get hacked or successfully attacked, make sure that everyone who needs to know, knows—all of the details. Including where you failed. Everyone makes mistakes, and it’s tough to be invincible. Do your best, however, and never, ever surrender.