When an organization focuses on a solid security program and applies defense in depth, they are said to be 'Raising the Bar'. The basic premise is to increase the difficulty factor, making those with malicious intent look elsewhere. It doesn't greatly decrease the number of attacks or attackers, but it does make them someone else's problem, in theory.
I've never been very comfortable with the metaphor of 'Raising The Bar'. Come to think of It, I don't like many of the metaphors we use. They focus on taking what we have (as is) and making it more secure.
Is information security like a castle or fortress? Nope, Anton Chuvakin debunked that a long time ago. Like an immune system fighting a disease? I don't think so, we are not facing a mindless horde. How about a safe for protecting our data? Oh puh-lease!
But metaphors are important. We use them to feed the imagination and transfer lessons learned from different domains. They allow us to derive inferences and develop entirely new models for information security problems.
'Raising the Bar' may deter the casual attacker, but it doesn't stop those with focused intent and skill. After all, real robbers don't go door to door finding an unlocked house, they profile a target and see an opportunity. They deal with the raised bar by going:
Over: The high jumpers of the Internet's dark alleys look at the bar of a properly protected organization as a challenge. This class of attacker looks for new undiscovered vulnerabilities or misconfigurations where they can root their way in.
Under: The limbo types exploit weaknesses in the security infrastructure to fly 'under the radar'. This includes low-and-slow attacks, and techniques to evade protection.
or Around: Surprise! Criminals don't play by the rules of the game. The around crew cheats by exploiting layer eight (the human factor),or the aspects of physical security we can't control.
Perhaps these weakness exists because of strategies brought on by the metaphor of 'Raising the Bar'. We are focused on protecting our assets no matter how spread out they may be by adding more sophisticated layers of defense.
If we shift metaphors, maybe we can shift strategies.
I really like the idea of tokenization for credit card data like RSA's SafeProxy. Substitute the actual credit card number floating around various systems with a token, which can even be the same length and preserve the last four characters (so users can identify each card stored). A tokenization system then stores the mapping which is only used when transactions occur. Especially in legacy systems, this could significantly reduce the number of attack vectors. Insider threats in management, service, IT, and ops would only see the tokenized number, injection attacks may only compromise useless tokens, and lost laptops wouldn't lead to multi-thousand record breaches. I know it's not perfect, but it's definitely a step in the right direction.
I think the metaphor here is a safe deposit box for each PAN. Yes, someone may steal the key, but without having a second factor for authentication they can't stroll into the bank and access the valuables. They may get the token, but unless they have compromised the token server, it's of no use.
I just illustrate this as an example of lateral thinking to the problem of protecting data. Tokenization doesn't negate need for defense in depth, but alternative strategies like this help to make it more effective. We need to keep an open mind and look for ways to do more than protect the status quo.
We have to look for ways to change the game rather than just raise the bar.
Comments