A hacker warns: stop keeping me out – and focus on your data


The author is a hacker and the head of IBM X-Force

Companies around the world have been hiring hackers for more than 20 years. They want us to find exploitable loopholes in their “armor” and break in as much as possible before they find out we’re there. “Are we impenetrable?” is the universal question. You may also be wondering about your organization. And I can answer with confidence that you most certainly are not. There is always a way in. Always.

The best security advice for government and business leaders is to just give up trying to keep me out. Suppose I’m already inside and find my way to your most precious possessions. The real thing to worry about is what can you do to stop me?

The Biden Administration’s latest cybersecurity executive order provides guidance to federal agencies on establishing a “zero trust” relationship with their supply chains in order to protect data. Zero Trust is not just a buzzword, a single action, or an instrument that markets the industry. It is a set of principles on which a security strategy can be built, and it is largely based on the acceptance of tradeoffs. Last year, the US was the number one target for cyberattacks, while Europe also saw an onslaught of ransomware attacks. We need a radically new defense.

There is a misconception that the security arena is a battlefield. It is not. It’s a chessboard and requires foresight and calculated pawn placement to protect the king – your data. If your main focus is to keep me out of your surroundings, then it’s already checkmate. Your mission should be to buy time, slow me down, and ultimately contain my attack.

Organizations must therefore make it as difficult as possible for adversaries to exploit the relationships that allow them to move sideways through the corporate network. They can do this by distrusting everyone around their data and reaffirming over and over again that all users are who they claim to be and that they are who they are. This last part is crucial because while identities are easy to compromise and impersonate, behaviors are not.

The real red light is the unchecked privileged access that governments and corporations grant their supply chain partners through passwords. Think of this as a badge that third parties can use to enter a company’s building, unless the building is the company’s system. Last year, password attacks gave us initial access to nearly 99 percent of the cloud networks my team hired to hack.

Why shouldn’t you harden these systems even more and develop better detection strategies? Because trust in stronger authentication and better prevention tools has brought us up to date. Opponents have found their ammunition in the maze of complexity that companies have built around them. This allowed Russian threat actors to go undetected on government networks for almost nine months during the SolarWinds slump in 2020.

The mindset that I advocate is strategic, not defeatist. Organizations need to realize that there is no such thing as a constant state of security, but they can be prepared. This looks different for every company, but it starts with knowing exactly what your most important data is and where it is. Who has access to it, who could access it and who really needs access to it – how much and for how long. It’s about cutting off unnecessary paths that an opponent could take advantage of.

Government agencies like the National Security Agency and the Department of Homeland Security in the US or the National Cyber ​​Security Center in the UK are already realizing that the game has changed. Industry and government executives who commit to a culture shift where trust becomes as much a currency as data will gain a strategic advantage – by restricting the steps an adversary can take, forcing them to make more noise, and ultimately gives him less leeway to carry out their attack.


About Author

Leave A Reply