How do you know what security measures to put in place for your organisation and the systems that you run? As we’ve seen previously, There are no absolutes in security, so there’s no way that you’re ever going to make everything perfectly safe. But how much effort should you put in?
There are a number of parameters to take into account. One thing to remember is that there are always trade-offs with security. My favourite one is a three-way: security, cost and usability. You can, the saying goes, have two of the three, but not the third: choose security, cost or usability. If you want security and usability, it’s going to cost you. If you want a cheaper solution with usability, security will be reduced. And if you want security cheaply, it’s not going to be easily usable. Of course, cost stands in for time spent as well: you might be able to make things more secure and usable by spending more time on the solution, but that time is costly.
But how do you know what’s an appropriate level of security? Well, you need to think about what you’re protecting, the impact of it being:
- exposed (confidentiality);
- changed (integrity);
- inaccessible (availability).
These are three classic types of control, often recorded as C.I.A.. Who would be impacted? What mitigations might you put in place? What vulnerabilities might exist in the system, and how might they be exploited?
One of the big questions to ask alongside all of these is “who exactly might be wanting to attack my systems?” There’s a classic adage within security that “no system is secure against a sufficiently motivated and resourced attacker”. Luckily for us, there are actually very few attackers who fall into this category. Some examples of attackers might be:
- … and more.
Most of these will either not be that motivated, or not particularly well-resourced. There are two types of attackers for whom that is not the case: academics and State Actors. The good thing about academics is that they have adhere to an ethical code, and shouldn’t be trying anything against your systems without your permission. The bad thing about State Actors is that they rarely adhere to an ethical code.
State Actors have the resources of a nation state behind them, and are therefore well-resourced. They are also generally considered to be well-motivated – if only because they have many people available to perform attack, and those people are well-protected from legal process.
One thing that State Actors may not be, however, is government departments or parts of the military. While some nations may choose to attack their competitors or enemies (or even, sometimes, partners) with “official” parts of the state apparatus, others may choose a “softer” approach, directing attacks in a more hands-off manner. This help may take a variety of forms, from encouragement, logistical support, tools, money or even staff. The intent, here, is to combine direction with plausible deniability: “it wasn’t us, it was this group of people/these individuals/this criminal gang working against you. We’ll certainly stop them from performing any further attacks.”
Why should this matter to you, a private organisation or public company? Why should a nation state have any interest in you if you’re not part of the military or government?
The answer is that there are many reasons why a State Actor may consider attacking you. These may include:
- providing a launch point for further attacks
- to compromise electoral processes
- to gain Intellectual Property information
- to gain competitive information for local companies
- to gain competitive information for government-level trade talks
- to compromise national infrastructure, e.g.
- to compromise national supply chains
- to gain customer information
- as revenge for perceived slights against the nation by your company – or just by your government
- and, I’m sure, many others.
All of these examples may be reasons to consider State Actors when you’re performing your attacker analysis, but I don’t want to alarm you. Most organisations won’t be a target, and for those that are, there are few measures that are likely to protect you from a true State Actor beyond measures that you should be taking anyway: frequent patching, following industry practice on encryption, etc.. Equally important is monitoring for possible compromise, which, again, you should be doing anyway. The good news is that if you might be on the list of possible State Actor targets, most countries provide good advice and support before and after the act for organisations which are based or operate within their jurisdiction.
1 – I’d like to think that they tried to find a set of initials for G.C.H.Q. or M.I.5., but I suspect that they didn’t.
2 – who’s “they” in this context? Don’t ask. Just don’t.
3 – always more common than we might think: malicious, bored, incompetent, bankrupt – the reasons for insider-related security issues are many and varied.
4 – one of those portmanteau words that I want to dislike, but find rather useful.
5 – yuh-huh, right.