Do you feel that cybersecurity is an area that is difficult to grasp? That it is sometimes difficult to pinpoint why the challenge is so great? Perhaps regulations apply to your business and you are required to develop security measures for which justification is needed? Or maybe you need inspiration to sharpen your arguments for a higher security budget? Here we present 5 things about cybersecurity you have not thought about, that will give you an advantage when working with cybersecurity!
1. You are fighting against an intelligent opponent
The presence and ability of an opponent plays a big part in how we prepare ourselves. The fact that we need to defend against attackers means that we have to build and design differently. It is also important to think about an attacker not only as an opponent, but an active and intelligent opponent. How intelligent are they? Are they attacking in general, or are they coming for just you?
So, how do you handle the presence of an opponent/attacker? Start by asking yourself: “what motives might our opponent have?”, “why would they attack us?”, and “who might they be?”. This can tell you a lot about how persistent the attacker could be, their capabilities, as well as what kind of information or systems you might need to protect. If you suspect the attacker to be a lot better than you, some focus on detecting that attacks have happened needs to be included alongside your defences.
2. There is great uncertainty in what you buy
There can be a lot of uncertainty in what you have actually bought. “Is the content specified?”, “Do we know who built it?”, “If not, then can we fully trust what we have bought?”. The chain of suppliers can be long and therefore it can be difficult to know the exact content of the solution. Another side of this is determining if the solution you have bought is any good. Most solutions today contain millions of lines of code which makes it hard to discover issues. Especially since code and its quality does not always show on the outside – the visibility is poor.
Also, when writing code, you reuse and import solutions from others by short import and include commands. This makes it difficult to know exactly what and how much you bring into the code.
3. Combining secure things is not necessarily secure
One aspect is when security is built as a long chain – if your solution is dependent on that all parts in a long line functions, the resulting security becomes less than that of each part. If one part breaks, the whole chain loses its functionality. If you have security solutions functioning like this, it is vital to have mechanisms that detect when something is not working.
The other aspect is that security tends to work in mysterious ways. You do not need a long chain for things to go awry. It may suffice to just combine two things that by themselves are secure. It is easy to understand that combining two insecure things becomes insecure. But unfortunately, there is no guarantee that a combination of two secure things becomes a secure solution. This is not due to “chain effects” as explained above, but rather that security can behave more like chemistry. Things that are safe (secure) when handled separately can become weakened or even deadly when combined.
4. Mental image ≠ reality for security functions
In our minds, a padlock is always secure and fulfills its task of “keeping things locked unless you got the correct key”. However, our minds deceive us. In the real world, there is a world of details and differences in both situations and padlocks. Secure things also tend to obscure the true situation of its immediate surrounding. “A door secured by a secure padlock” gives the image of a secure door. But maybe the hinges of the door are on the outside and can be removed, rendering the padlock useless. The exact same reasoning turns up in cyber and product security. “Let’s secure this situation with a firewall”.
So, what can you do? Identify where your most important and sensitive data is and think about how your design actually protects it, and what would happen if it does not. Is it possible to perform regular controls of that everything is still functioning?
5. Security is not measurable – assurance is!
How do you measure security? The fact is that there is no way to do it. There is no scale that can tell you exactly how secure something is. Why is this? One reason is that we express demands on security in “negative terms”. We tend to say, “no one should be able to do <enter bad thing here> with our systems”. This type of requirement is very difficult to meet since it is very hard to prove that something is not possible. A more useful approach to use when talking about evaluating security is assurance.
Assurance in security means the degree of confidence that a product or system correctly performs its required security functions and that they cannot be circumvented
But how do you build confidence in something? You can start by asking questions. Start with the statement “This product is secure” and ask “Why?”. Then break down the answer into its parts and question each part. Challenge statements such as “The product has a secure design” with “Why is it secure?” and so on. Continue until the total weight of the answers makes you feel assured.
Do you need help with your cybersecurity work? Do not hesitate to contact us!
