Author: Mark Ciampa
Suppose you lived hundreds of years ago and were the king of small nation (work with me here). An enemy has become angry with you and threatens to attack you and invade your castle. Your workers spend many months digging a moat around your castle and fortifying the castle walls by making them higher. However, your enemy does attack your castle and is able to breach your defenses and enter your castle. So, what do you do now? Continue to try to prevent the enemy from entering your castle by digging a deeper moat? Or instead spend your resources trying to manage that invasion into your castle?
What Would You Do In This Case?
Suppose your family members and friends are meeting for the holidays at the house in the country where one of your relatives’ lives. This relative has a dog named Blue. While the festivities are going on, Blue is to remain outside the house. And everyone has been warned that Blue will try to somehow get in so all the doors are kept closed. But a child mistakenly leaves a door open and that’s all Blue needs to run into the house. So, what do you do now? Continue to keep the doors closed to try to prevent Blue from entering the house? Or instead now try to capture Blue and lead him back outside?
How About This One?
Suppose you have a major research paper due in a class. But you mistakenly record the due date in your calendar as the following week and you fail to turn the paper in (and no late assignments are accepted). So, what do you do now? Record the correct due date in your calendar and post notes to remind yourself when the research paper was due? Or instead work very hard on the remaining assignments to make sure you earn the best grade possible?
Should You Prevent or Manage The Situation?
These scenarios illustrate the fact that trying to prevent something bad from happening–an angry king attacking, a dog getting into the house, not forgetting when a paper is due–is much different than dealing with the fact that it has already happened–the king is in the castle, the dog is in the house, and a zero is recorded for the research paper. Once the bad event has occurred, the focus then shifts to managing it instead of putting the resources into preventing something that has already happened.
And there is a growing chorus of security professionals who say that our approach to security now likewise needs to change. Instead of only focusing on preventing attacks, we should instead come to the realization that the attacks have already occurred and that our data is in the hands of the attackers. Thus, we need to be thinking about managing instead of preventing.
This does not mean that prevention is useless. On the contrary, prevention continues to play an important role. Instead, it simply means that our focus should no longer be exclusively on preventing, but it must also include how to manage the fact that our data is already lost.
The numbers surrounding lost data are staggering: late in November 2018 Marriott announced that half a billion potential victims had the following stolen:
- their names
- addresses
- credit card numbers
- phone numbers
- passport numbers
- travel locations
- arrival/departure dates
But that’s nothing compared to the three billion Yahoo accounts that were compromised in 2013. And the security firm Risk Based Security, Inc. estimates that over 24 billion credentials have been stolen or exposed. That’s why your data is so cheap for attackers to purchase:
- your social security number sells for about $3 today
- your medical record sells for $5
- your credit card number for $7
- your complete credit report for $100
- if you have up to $6,000 in a bank account your username and password for that account can be purchased for $270.
Your Personal Data Is Out There – Like It Or Not
Security professionals today say that we need to realize that our data is gone. A supervisory special agent of the FBI who investigates these online attacks says we should no longer worry whether our information has been stolen; instead,
Every American should assume all of their data is out there.
Another security professional says that there are now two harsh realities we must face:
- All the data you believe should be protected has already fallen into the hands of attackers
- Any data you provide to a company beginning today will also be stolen.
The primary focus now shifts from preventing our data from leaking out to instead managing that stolen data (remember, prevention is still important, but management is very important). We must now try to prevent attackers from using and abusing our stolen data.
Here’s what you can do:
- Freeze your credit files at the major credit bureaus and order free copies of your credit report every quarter to be sure that an attacker is not using and abusing your stolen data.
- Create your own account at the Internal Revenue Service (IRS), Social Security Administration (SSA), U.S. Postal Service (USPS), and other legitimate online providers before an attacker creates an account in your name using your stolen data. (But wait, you may say, isn’t this just giving more opportunity for attackers to steal that data? Remember, your data is already stolen, it’s now time to manage it).
This is a sobering reflection on the current state of security. But it’s a necessary change in focus from trying to protect something that’s already been lost.
Prevent or Manage?
It’s now time to do both.
Professor Ciampa is the author of several texts on Security Awareness and Network Security. These texts are also available within MindTap. Log in to MindTap here. MindTap is available to your students as part of Cengage Unlimited.
IT, Networking and Cyber Security Instructors—take a deep dive into the Live Virtual Machine Labs in MindTap by watching the recording of our recent webinar: Just in Time Training for Live Virtual Machine Labs.
