What Keeps You Up At Night?

Maybe you have nightmares about accidentally posting AWS console credentials on Github. Some CISOs undoubtedly have dreams where they must explain to the board that the company has just set the record for the world’s largest data breach. As a developer of security products, I spend many early mornings thinking about how hacking and data breaches continue to increase despite the significant advances that we are making to harden and secure facilities. Clearly, something rather fundamental is escaping our attention. I think that I have a good idea of what is going wrong.

If you think of hackers as unshaven 20-year-old guys attempting to amuse themselves in their parents’ basement, it’s difficult to explain the growing tsunami of breaches. Let’s face it: if amateur hacking were profitable, would people choose to live life as basement freeloaders? Probably not. So, we can discard the subterranean sect as the source of our problem.

But consider organized crime as an alternative source. Imagine businesses as a flock of sheep and organized crime hackers as the proverbial wolves. Obviously, the security community is doing an excellent job of giving the sheep armored overcoats. But fundamentally, this doesn’t change the paradigm. The wolves have to be more creative. But because sheep are inherently non-confrontational, wolves are safe in continuing their lupine ways.

Looking at hacking as if it were a business model, the problem becomes increasingly clear. For a modest investment in ransomware or penetration automation, it is possible to secure impressive returns with very little risk. What organized crime boss or petty despot could resist? By adopting a purely defensive approach to security, we have issued an engraved invitation to attackers.

To change the “hacking market” dynamics, the security community needs to inject risk into hackers’ business model and to reduce their return on (Read more...)