La Linea

Copyright© La Linea. - hop

Abstract

Proactive security focuses on moving all resources to reduce the attack surface and giving in to defense in depth by not trying to mitigate the harm caused by incidents.

Details

My next article in the series on computer security is about proactive security. Companies with revenue should eventually spend a negligible amount on security if they are proactive and think proactively and build future-proof solutions.

Reactive security

My previous blog post about information system security was about reactive security. A great example is the SolarWinds hack of government systems by the CozyBear group in December 2020. Reactive security is always about collecting a debt paid when the breach happens. The risk brings higher yields and eventually higher costs than proactive security. Wiretapping with software like Pegasus may expose crimes, but it may also cause long-term psychological problems due to a bad joke or a conclusion too early. This is the reason why people date and sign contracts.

Competition

How much is spent on proactive security then? The answer is zero. Safety has no extra value to your customer unless it prevents breaches. Competitors without vulnerabilities will get away with less spending chipping away your customers. Companies with higher risk spend their profits, but the learning process will eventually drive down their costs. Companies with breaches will promote their spending in advertisements as a differentiation that justifies the extra costs. The more competitive and industry is, the more the attackers spend instead of the defenders.

Free markets

Who will provide proactive security? If you want to protect against attacks in general, you need to pay external consultants. They will have the expertise, and they are ahead in the learning curve. The problem is, you share consultants with your competition. There will be different contracts for different customers since the consultants can sell extra services for higher margins. Spending spirals can create a syndicate or an oligopoly with a hierarchy. Higher revenues for security generate an incentive for the hackers to make more attacks or inject more vulnerabilities. This reduces the income of the security firms as well. The result is a loss of productivity. Security should never be outsourced to a monopoly. Companies in perfect competition may become a victim of such a vendor, creating a de facto oligopoly that fixes the market shares.

Full-time employees

The suggestion of the author is to keep security in the house. General guidelines that the employees should secure their work. It reduces fixed costs for medium-sized businesses. It builds trust and transparency, reducing the attack surface. Once this happens, staff can prevent issues generating higher revenues and lower costs. They will benefit from bonuses and better stock incentives, driving the cost of security issues and spending to zero.

Finances

How should proactive security be financed? It depends on the type of attacker. If the attacker is competitive, companies can only rely on law enforcement paid from a proportional excise tax or sales tax. An excise tax ensures that the public spends only the fair share of the industry on regulations. If the attackers are third parties targeting every sector with an equal chance, enforcement is public paid from economic or accounting profits, such as an income tax. Law enforcement can target hackers directly influencing the regeneration of cybercrime. Companies are required to reduce their attack surface to prevent crime.

Red teams

Do you need internal hackers? The author believes that you do not. Using internal red teams or testers reduces trust, increasing costs. You will see such teams at companies of monopolies, and monopolistic competition, where there the profits can improve the barrier to entry. It is crucial as additional R&D, but it reduces productivity, and it may be self-generating. Even Microsoft merged test teams into development teams.

Risk

The SolarWinds hack demonstrated that reactive security relies on risk acceptance, so it incurs costs. Relying on external consultants may create the effects of groupthink where individual stakeholders do their best, the system leaves flaws open still. Thus, it is better to push for protecting an entire attack surface rather than just defense in depth. Every project needs to calculate the lifetime value created and the ongoing security audit costs that incur.

Corruption

Opacity is a severe issue. Backdoors and lack of transparency may trigger corruption. It is worse than gang violence as it involves large amounts of value that hinder entire industries like banking, real estate, or construction. Backdoors are both a currency and a long-term asset for criminals.

Offensive

Another interesting aspect is the type of defense. The offensive cyber defense may be an option. The issue with offensive tools is that they are reactive. They provide deterrence, they require investment, and they challenge the opponent. Challenging may cause costly preventive attacks that would not happen otherwise. The tools may become outdated, proving an unnecessary investment. Offensive tools are usually cheap and easily built. They are not stockpiled but created on demand. The risks incur additional costs. They cannot be used in long-term relationships.

Defensive

Proactive security relies on affordable defensive measures tested every day. Being transparent is the most efficient cyber defense measure. It builds trust with customers in the long run. It shows attackers that they can be recovered, eliminating risk. It shares information within the professional community making the entire industry safer that helps to keep outsourcing a viable option. Open source it is.

Public

How can the public help? Cybercrime is a negative-sum game. Governments can reduce the rate and severity of damage using the vast amount of information they collect. All this is paid from taxes. The type of tax should help to make the burden proportional such as an excise tax to reduce cybercrime proportional to internet traffic. Income tax reduces cybercrime with monetary impact.

Taxes

Only paid taxes are the good taxes. How can you help as a taxpayer? Pay what you owe and spend time checking how it is used. Spend less time looking for credits. Complicated tax credits and rebates are expensive to leverage, increase bureaucracy, and the taxpayer will spend resources on them. Even a higher flat tax rate will lower taxes if the taxpayers spend their extra time checking their money usage and not looking for individual tax breaks. If more taxpayers check the spending, expenditures are more likely reduced.

Population

The Internet made the world a Markov chain where everybody can reach everybody else at a meager cost. A population of 8 billion people will have 4 billion under the median GDP. The typical 4% of these will be unemployed, and 4% will be underemployed. It means that there are 320 million people, one for each US citizen, who are available for pennies, and they can tamper with your systems, email, banking if they are allowed to do so. You cannot just assume that there is no incentive, or there are just a few attackers. Anybody can use an off-the-shelf component like the Pegasus software revealed in July 2021. You can have your personal “concierge” or more if there is an opportunity for the attacker. Solution: do not ignore or downplay the threat.

Economy

Ransomware is rising. A notable example is the Colonial pipeline attack that made large parts of the United States without oil supply for many days in May 2021. How much do you need to spend on security? US law is strict on paying ransoms, especially in the case of personal threats. The author argues that companies will eventually have negligible costs if every dollar spent on security reduces the costs in the next period.

Tech

How do you reduce attack service by time to reduce costs? Every incident requires analysis and recovery that a carefully selected insurance policy can cover. Many companies offer these. There are a few proven practices that help. Tech needs to be friendly and straightforward. If new staff can ramp up in a week, you have better negotiation power. External consultants may assist in the analysis, but in-house knowledge building saves costs in the long run. You need to insist on transparency and be wary about trusting just the brand. There is so much going on in the tech space, and as the Pegasus scandal showed, governments have incentives to hide the most precious vulnerabilities. Solution: a rule of thumb that the best companies follow is to assign staff to each 5000-10000 critical lines of code. It is as much as can be picked up in a week or two when employment starts and the previous knowledge owner leaves.

Culture

There is a tech culture that grew around hacking. Unfortunately, it still has a cool wild west aura. The truth is that a security industry can keep itself around if concentration occurs. If you pay consultants, the most prominent brand may not be the right choice. Hackers may help a company from outside without their consent or knowledge and target specific customers. They may tamper with domain entries, redirect search or marketing traffic, modify executive reports, inject annoyware to increase costs etc. Government ties of security companies open ways for corruption as secrecy is a serious business. Solution: Security buyers have the power if they have negotiation power to choose from 50 consultants. Short-term contracts help to be creative and find new vulnerabilities.

The bug game

The game is this. A company that writes software has a few engineers. More bugs are added as more features come and excess developers fix existing issues. It is like a queue. There is always a chance that some bugs exist, and the bug reviewing power specifies the length. Early code reviews are most efficient. Any late analysis on large codebases may have quadratic complexity limiting the feature set. Program management can decline features by assessing them by their long-term risks and costs. Open source is less likely to have backdoors as more people see it. Large data pipelines overseen by a few people may have the problem of not having resources to notice tampering. Watch out for privileged employees. Nobody should leave or maintain backdoors. Too many dependencies on vendor codebases is a risk, especially in always on always connected continuous integration. Finances are always an incentive, and vulnerabilities are a currency that fuels criminals and the industry alike. Please keep it simple.

Organization

Organizational standards also play a role. Groupthink may leave some issues forgotten. It is better to train everyone and have large meetings to know what is going on. Training is a vaccine that prevents problems. Full-time employees are more trustworthy as they stay longer, and they have to deal with the issues. Rush in cultures may cause trouble. B-type groups often build such a culture. A-type groups are better at convincing. However, this may have higher costs and more complex systems.

The perfect web

The perfect web builds on excellent and efficient education. Software is accessible and easy to understand. It is made for people and not just researchers and should not be reserved for a few individuals or an informal hierarchy. Luckily open source licenses created the framework. Patents have been around for a long time to protect the rights of the innovator. Attackers often leverage knowledge gaps. Cost-efficient security requires transparency that is similar to what the NYSE or NASDAQ provides. Releasing the details of the Pegasus software is an excellent example. I am sure there are many such vendors for rival countries and groups. All civil and government participants are bound to similar constitutional standards and common law in the perfect web. There is no extra secrecy. Every vulnerability is dangerous regardless of whether only a few people are entitled to know about it. It is a risk, and risk is an additional cost to investors. Professionals can assess systems with objective standards rather than pride, respect, or fear in the transparent web.

Conclusion

What matters at the end of the day is that both employees and customers have a peace of mind. **CIOs just want to drink their mojito at the end of the month knowing that all systems are working. They are prepared, so they do not want to worry about anything else.**