To most people, the fact that an email can be typed up, sent, and received by someone else in another part of the world is magical. It might as well have been teleported. But to those of us who live in the data, who live in the 1’s and the 0’s, it is much more than that.
I would argue that the Internet was first designed to be open and that security was more of an afterthought. That isn’t meant to be a slam against Robert Kahn or Vinton Cerf (the original fathers of TCP/IP). Their purpose was to get packets from one research facility to another, as quickly and reliably as possible. The focus was on speed and simplicity. And, as IBM figured out circa-1989, this protocol was about to revolutionize the world.
As with any community we find that utopia is never achievable. Bad Guys will always make their way into the community. They will exploit weaknesses, take advantage of the well intentioned, and wreak havoc. “Viruses” have been around since the advent of computing. And really, the ideals behind the creation of viruses are no different than the creation of TCP/IP itself. Many of them are innovative, imaginative, and often times revolutionary.
Big changes in the game started to take center stage in the late 90’s. Worms and Trojan Horses became household names as they seemingly were able to rampage massive portions of the Internet in a matter of hours. Viruses like the ILOVEYOU virus, the Code Red worm, Nimda, Slammer, MyDoom, Netsky, and StormWorm stormed through millions of computer networks in short order. The common denominator is havoc, resulting in millions or billions in lost revenue, loss of precious data, intellectual capital, and more. Viruses ruin, exploit, and exfiltrate.
For a long time we used to build massive walls around our networks with the belief that if we protected our employees and trusted assets from the wilds of the Internet we would be safe. These massive perimeter firewalls were designed with an Untrusted side and a Trusted side. Unknown traffic destined to our trusted networks from the Internet was automatically dropped while naively permitting a good amount of the traffic flowing from our trusted networks out to the Internet.
As usual, history is always our best teacher. And with these massive perimeter architectures, we failed to remember lessons from the fall of Troy. Though the Achaeans relentlessly assaulted Troy and its perimeter walls, they continued failing. Eventually, Odysseus (one of Troy’s enemies) built a hollow horse deceptively branded as a “thank-offering to Athena for their return home” and tricked Troy into thinking that they had given up and gone home. But the hollow horse (“Trojan Horse”) was filled up with soldiers who quietly hid within the horse. Amazingly, it was the Trojans themselves who pulled the horse through the front gate and back behind their massive walls. And as the story goes, Odysseus and his men waited until nighttime and ravaged the city from within, thus ultimately taking down Troy with relative ease.
This little history lesson is very applicable to the world of Information Security and represents an inconvenient truth to us all: the enemy is already within the gates. We’ve already been compromised somewhere, in some way. Does this make us fatalistic? Absolutely not. We can’t afford to be fatalistic.
What this piece of history teaches us is that no network zone can be trusted. No data environment can be trusted. No user can be fully trusted. Whether intentional and directed or unintentional and accidental, the results can still be crippling to your business. As the worlds of Physical and Cyber Security begin to integrate more and more, it is critical that we become relentlessly purposed in our pursuit of continuous improvement.
Information Security never grants us a finish line to be achieved. It demands hard work, innovation, and coordinated teamwork, as well as a seat at the table at the highest levels of the business. More than ever, data security breaches can shake businesses to their core. They can cost Fortune-100 CEO’s their very jobs. They can even severely cripple nations. We see it all too often. So with all of this in mind, let us renew our resolve in this area. Everything depends on it.