Home » CYBERSECURITY AND THE FOUR EXCEEDINGLY WISE ANIMALS: Defending Personnel and Organizations under Attack

CYBERSECURITY AND THE FOUR EXCEEDINGLY WISE ANIMALS

Defending Personnel and Organizations under Attack

BY BECKER POLVERINI | 2017

Technology developed by and for the powers of this world have placed our organizations at grave risk. Many of us are familiar with names like Snowden^[1], Wikileaks^[2], and Target.^[3] Responsible parties worldwide acknowledge that a laptop and animus represent sufficient conditions for cyberattack. Cybersecurity, the science of understanding risks from technology, represents a new discipline 21st-century organizations must master to flourish while under assault.

“Four things on earth are small, but they are exceedingly wise: the ants are a people not strong, yet they provide their food in the summer; the rock badgers are a people not mighty, yet they make their homes in the cliffs; the locusts have no king, yet all of them march in rank; the lizard you can take in your hands, yet it is in kings’ palaces.” (Prov. 30:24-28, ESV)

The Parable of the Four Exceedingly Wise Animals, attributed to King Agur in the Book of Proverbs, tells a story of four weak animals and the secrets to their survival. The ant prepares to survive the summer. The rock badger utilizes strong defenses to make up for a lack of retaliatory strength. The locust coordinates without a central point of failure. The lizard appears to pose no threat. The four principles represented by these animals–preparedness, defense-in-depth, decentralization, and transparency–represent the hallmarks of a wise cybersecurity policy.

The Ant: Preparation

Cybersecurity is often thought of in a binary fashion—something is “secure” or “non-secure”—there is no middle ground. Unfortunately, this thinking leads to a conundrum for practitioners, who quickly discover that no man-made system can ever be completely secure. A more useful approach for understanding an organization’s cybersecurity posture is a spectrum between “non-secure” and “prepared.” Pushing toward preparedness requires an understanding of two fundamental concepts in cybersecurity: the CIA triad^[4] and the threat model^[5]. The CIA triad represents the three necessary conditions for the security of sensitive data: “C,” for confidentiality, ensures data remains unintelligible to unwanted persons, usually through encryption; “I,” for integrity, ensures data has not been modified or destroyed; “A,” for availability, ensures data is accessible when needed. All it takes is for one leg of this stool to collapse for a breach to occur. Depending on workflow, legal requirements, and financial incentive, these three properties should not all receive the same level of scrutiny. For example, a law firm should focus on confidentiality for attorney-client communiques^[6], while a healthcare company should focus on availability when evaluating the security of its pacemakers.^[7]

When preparing, craft a threat model to explore which CIA property, if lost, would cause the greatest impact. A threat model answers the following question: How a who attacks a what, when, for a why. We never encounter organizations that are over-prepared for cyberattack, but we often encounter organizations that are prepared for the wrong cyberattack. Preparedness, if attempted with a poor threat model, results in overspending and an inscrutable mix of false positives. A threat model minimizes efforts on cybersecurity tactics that offer only diminishing returns and guides strategic planning by addressing realistic threats that affect the bottom line. Cyberattack-resilient organizations must create a threat model and use it to spend 80% of preparation time on the most mission-critical CIA pillar.

The Rock Badger: Defense-in-depth

Cybersecurity companies are fond of saying, “An attack is not a matter of if, but when.” This truth, while frightening initially, should be a source of relief: Rather than fear a breach, organizations should prepare an effective response. Brittleness^[8]—the property that a failure in one area can lead to a system-wide failure–is the primary reason why most companies believe the asymmetric power of technology favors the attacker.

The process of applying overlapping yet independent defensive layers, or defense-in-depth^[9], mitigates brittleness by functioning like a fortified castle. In a castle, moats, drawbridges, burning oil, and hardened gates all work together to slow down an attacker. Below are some equivalent defense-in-depth measures that can apply to the realm of cybersecurity. Protect your laptops from theft, not only by turning on remote wipe but also by encrypting the hard drive with a strong password. Protect data that requires a user to log in, not only with a strong password but also through a user-entered code from a different physical device (e.g., a smartphone, smartcard, or Yubikey^[10]).

Defense-in-depth can flip the advantage back to the defender, as the adversary must now go up against an onslaught of non-interconnected systems, each preventing intrusion in a unique fashion. The physical defensive technique of choke points–places where the enemy’s superior numbers are mitigated by restricted space–is one useful metaphor that translates well for cyberspace. Make sure your most sensitive assets require the highest degree of scrutiny from intrusion countermeasures. Like the rock badger, make the enemy fight on your terrain and make the attack surface too small to hit.

The Locust: Decentralization

Even with preparation and defense-in-depth, chaos will strike. When the attacker has broken through all defenses and has compromised a system, the last card to play is decentralization. Having compartments in place to isolate the damage to a subset of the total attack surface makes it possible to answer measurably the forensic question “What have I lost?” No one wants to tell his or her board, “Everything could have been taken.” To get to compartmentalization, organizations must embrace decentralization. There are two useful tools for decentralization available to the defender: role-based access control^[11] and data classification methodology. Role-based access control mandates that sensitive data should be accessible and modifiable only by those who require access. For example, the only personnel with access to the chart of accounts should be members of the finance team. Things like “admin” accounts with full access, the types that Edward Snowden had access to at the NSA,^[12] should be eliminated via corporate policy wherever possible. This level of access makes employees vulnerable both to external attacks and to internal temptations.

Furthermore, decentralization does not have to result in communication complexity. Often when organizations embrace decentralization, efficiency improves, because not all data is created equal. This process of labeling some data assets as “more equal than others” is data classification. If your organization is new to the concept, begin with a “traffic light” classification system.^[13] Green means public; yellow means internal only; red means role-based, need-to-know access only. The US Federal Government keeps separate infrastructure for computers with access to Top Secret information. This is done so that friction-creating security technologies only apply to the data that needs it, which results in speedups when compared to a totalizing approach. By mapping the threat model onto data, leaders develop metrics that make it clear to personnel what cannot be lost and what requires a sanity check before hitting “reply all.”

The Lizard: Transparency

While the first three animals represent internally facing countermeasures, the lizard represents an external one: transparency. The lizard, neither poisonous nor dirty, roams the palace of the king, fulfilling its purposes without soliciting violence. Leverage cybersecurity technologies like secure audit logs and e-discovery systems to show the powers (if the need arises) you have nothing up your sleeve. In many contexts the existence of defensive countermeasures is a lure for attack and a generator of suspicion. Painting a bullseye on your organization by appearing dangerous or felonious has resulted in the downfall of many institutions: HBGary^[14], the en masse expulsion of international NGOs from Sudan^[15], MegaUpload^[16], and the list goes on. The appearance alone is sufficient in the hardest places. Transparently separating aid from advocacy, by making sure the technology to do the mission is isolated from the technology that is “facing the giants,” will decrease the attack surface you will be obligated to cover. You owe this to your personnel. Those willing to be involved in the positive elements of aid may be unwilling to pay the hard costs of advocacy.

Conclusion

As believers, we are called to promote shalom–holistic well-being–for the least, last, and lost. The four exceedingly wise animals give believers a battle-tested model for protecting what matters. Through preparation, defense-in-depth, decentralization, and transparency, believers can protect their missions by showing allies they have nothing to hide, while showing adversaries nothing at all.