There is no doubt that the last couple of months have been historic in the world of cyber security. In October, it was US banks and financial institutions that faced a barrage of cyber attacks during “Operation Ababil.” In November, Israeli websites came under fire during the Anonymous led “OpIsrael” attacks. However, there is a stark contrast in the effectiveness of these two attack operations. While the banking attacks were by-and-large successful, the attacks on Israeli websites fell short.
Of course the question for security experts is – how do we explain this disparity? Is it because the financial sector didn’t have enough resources or serious professionals dedicated to program management? Is it because the Israeli government possessed a cyber defense strategy that was executed flawlessly? In truth, neither scenario seems likely and the real answer may make some a bit uncomfortable.
The reality is that attack mitigation is not a core competency of modern day security programs. The problem is that it’s those of us who expect they will experience a cyber attack that end up in better shape than those who don’t. Yes, when it comes to cyber security, paranoia is a virtue!
Take the following example: have you as a security professional ever tested your environment for a cyber attack? Do you know how to mitigate them? (No, these aren’t modern day “Pen Tests” which don’t test ‘service disrupting techniques’) I would argue that during OpAbabil the US banks were more concerned with compliance and data leakage (both very important attributes of a security program) than with the notion of defending against a cyber attack. But they should have been.
Now, let’s shift gears from whether or not a security program should be prepared for an attack to the question of vulnerabilities. Suppose we ask, “how do you mitigate vulnerabilities?” Well, that question is easier to answer and probably makes people more comfortable. But today’s risks are not about individual threats or single vulnerabilities. They are a cacophony of trialed threat and exploit vectors — something we term as an “attack.” Given the fact that cyber security world has changed over the past two years to an attack based model that has its own new attributes the important question to ask is – have you changed to adapt your control infrastructure to these new techniques?
In light of these changes, here’s the call to action: it’s high time we, as security professionals, begin the process of not only dealing with individual vulnerabilities but also diving deep into popular attack types, schemes, and tools (e.g. platforms) in order to prepare ourselves with better and more competent responses. These attacks are unique and represent a new under-studied are for information security programs. The graphic below helps explain this concept on a deeper level. To be sure, attacks do have a relationship with vulnerabilities, but it is clear we are now dealing with a different animal altogether!