Author: Frank Johnson

Are there really only “two kinds of enterprises”?

Has every company really been hacked?  Is every company really going to be?

A popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”

And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”

The first is used more often than the second, but the second is more likely closer to the truth.  Both are used to put the fear of the infosec gods into businesses and government agencies. Given the rash of breaches over the past couple of years, the memes and the headlines seem to reinforce each other.

But is it true that there are only “two kinds of enterprises (2KoE)”?  That every organization has already been hacked (whether they know it or not), or will be if they haven’t been?  Are these 2KoE memes based in reality, and do they help or harm the industry’s efforts to get organizations to take cyber security seriously?

Has Every Enterprise Really Been Hacked?

Part of the challenge in answering is defining what “hacked” (or “breached” or “compromised”) means.  Few organizations might suffer a mega-disaster like Target, Anthem, or OPM, but virtually every organization has lost a device or USB drive with sensitive data on it, or been infected by malware when an employee clicked the wrong link, or had a consultant accidently(?) take files home for his or her next gig.  So by that measure, you might be able to say that “every enterprise has been compromised.”

One piece of quantitative data comes from a 2014 FireEye / Mandiant report, which stated that 97% of the organizations it analyzed had been breached, meaning that “at least one attacker had bypassed all layers of their defense-in-depth architecture.”

And here’s some qualitative or anecdotal evidence: former Director of National Intelligence Mike McConnell has said the Chinese have hacked into every major American company: “We’ve never, ever not found Chinese malware.”

Such observations would seem to be borne out by the new breaches that have come along every few days for the past couple of years. This grim period has cast a harsh light on the weak cyber security among some of the best-known consumer and industrial brands as well as government agencies and the military.

It’s also true that every company, no matter how small, is a potential target for an attack.  Bad actors often assume these companies pay less attention to cyber security and have fewer resources to put toward the problem.  And, they may not be looking for money or corporate intelligence.  They may just be hacking into your system to see if they can hack into a juicier target from there.

It’s all enough to lead Cisco’s CEO and CSO to say that “If the past year has shown us anything, it’s that companies should no longer ask if they are going to be hacked and instead when.”

John Klemens, Telos Corporation’s technical director of IA solutions, doesn’t believe that every organization has been breached, nor does he believe that breaches are inevitable.  However, “If your enterprise is a high-value target due to what you have, then ‘inevitable’ becomes a much more appropriate word.”  He adds that “breaches are certainly possible at every organization, because every organization has people, facilities, and equipment — all of which are breachable.”

Telos CSO Rick Tracy also doesn’t believe breaches are inevitable, rather calling them “likely or probable.”  He likens them to traffic accidents.  “If you drive, it’s probable that you’ve had some type of accident or will someday.  It’s not guaranteed, but it is possible or even probable.”

Tracy says that the likelihood and severity of a car accident is determined in part by how and where you drive — and there are some obvious analogies to cyber security and breaches:  what industry you’re in and what types of data you have help determine your chance of being targeted.  (This dynamic is reflected in cyber insurance premiums, where rates for retailers and healthcare firms have jumped in the wake of devastating breaches in those industries.)

However, Klemens adds, “There’s no perfect security, and security isn’t an endpoint — it’s a never-ending journey.  Organizations can go to great lengths to reduce the likelihood of breaches, but eliminating them altogether? That’s not possible.”

Should Infosec People Stop Using the 2KoE Memes?

So for argument’s sake, let’s agree that all companies are at least at risk and need to be prepared.  Does threatening enterprises with the “2KoE” boogeymen help or hurt the industry’s effort to get people to take information security seriously?

Do these memes convey any value to companies that want to do the right things?  Or do they just give lazy companies air cover, easing their sense of guilt and responsibility when a breach happens?

In a way, the 2KoE memes are tinged with the same kinds of “moral hazard” issues as cyber insurance and other forms of insurance.  Just as knowing that you’re covered for breaches might lead you to take more risks in your security practices, being told “you’ve already been breached” might help you “give yourself permission” to let your cyber guard down.

Developer and web security specialist Troy Hunt, in a “comment conversation” with me about one of his blog posts, suggested that these memes are “a bit simplistic…The statement is made in such a Boolean way, but there’s a lot more to it than that…I’d hate to see a mindset that’s basically ‘well we’re going to get hacked anyway.’”

Telos’s Rick Tracy agrees that the 2KoE memes don’t really serve a purpose other than trying to shock people and get them to understand how pervasive the cyber security problem really is:  “The trouble with these statements is that they’re difficult, maybe impossible, to disprove.”

The other issue, Tracy suggests, is that the memes imply that you shouldn’t feel bad about being breached because it happens to everyone — literally, according to the meme:  “You might argue that it serves to send the wrong message: ‘Don’t worry.  It happens to everyone.  Go back to sleep.’”

Bromium co-founder and CTO Simon Crosby states this even more bluntly: “Your organization does not have to fall prey to the fatalism of the ‘you’ve already been breached but don’t know it yet’ set. Those are the narratives of executives who know they are failing and seek solace in collective failure.”

Final Thoughts.

So has every enterprise literally been breached?  Probably not.  Is every enterprise likely to be breached?  Perhaps not, but given the increasing rate of breaches and the interconnected nature of commerce in the 21st Century, it makes sense for every enterprise, large and small, to take every reasonable precaution to protect themselves.

If information security professionals continue to use the 2KoE memes, they need to provide some real-world context and recommendations with them in order to bolster their clients rather than allowing the memes to foster hopeless resignation.  They need to encourage their clients to know the threats, know their vulnerabilities, do all they can to remediate them, manage the risks involved, and be prepared should a breach occur.

Update, 12/19/2018: Cybersecurity expert and author Richard Bejtlich has published a thorough and thoroughly fascinating blog post on the history of this meme: The Origin of the Quote “There Are Two Types of Companies”

Cybersecurity isn’t the same thing as information assurance.

Last March the DoD announced the retirement of DIACAP in favor of an information-assurance approach based on NIST’s risk management framework (RMF). This transition had been anticipated for quite awhile, and was a welcome development in getting all elements of the federal government aligned on the same approach to information risk management.

But one aspect of this change has drawn little comment from the DoD’s information community: the revised DoDI 8500.01 that accompanied this change now directs that the term “cybersecurity” be used throughout the DoD instead of the term “information assurance.”

That’s a major change that bears further review. It’s one thing to rename the document itself from “Information Assurance” to “Cybersecurity” in recognition of its focus on security in the cyber domain. But to do a “global search-and-replace” on these terms across the DoD suggests that they’re either synonymous or even perhaps that cybersecurity is higher up on the evolutionary scale than IA.

In fact, cybersecurity is not the same thing as information assurance. Cybersecurity is a sub-set of information security, which itself is a sub-discipline of information assurance, which encompasses higher-level concepts such as strategy, law, policy, risk management, training, and other disciplines that transcend a particular medium or domain.

Securing Cyberspace Doesn’t Secure or Assure All Information in All Media

Both NIST and the Intelligence Community recognize these distinctions in their own instructions, special publications, and glossaries. First, NIST and the Intelligence Community define “cyberspace” as:

a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. [emphasis added]

In the same documents, both NIST and the IC define “cybersecurity” as “the ability to protect or defend the use of cyberspace from cyber attacks,” i.e.,

an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. [emphasis added]

In other words, “cybersecurity” focuses primarily on defending the infrastructure of information systems — computers, networks, and communications — and secondarily on protecting data and information within the cyber domain. Cybersecurity doesn’t include defending and protecting information outside the cyber domain, which constitutes a lot of documents and records within the DoD.

The distinction between cybersecurity and information assurance is reflected in both the NIST and IC definitions of “information assurance”:

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

This definition makes no reference to cyberspace infrastructure and encompasses all information in both digital and analog forms. Ironically, DoD has traditionally defined “information assurance” the same way, as “assuring the confidentiality, integrity, authentication, non-repudiation, and availability of information.”

However, as of March 2014, the DoD is applying that definition to the term “cybersecurity” and has also expanded the definition so that it (almost) covers “information assurance.” DoD now defines “cybersecurity” as:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. 

This new definition mashes up elements of higher-level concepts like IA and information security with references to cyber infrastructure, inflating the term “cybersecurity” to encompass concepts it doesn’t and shouldn’t address. Things like disaster-recovery planning are an awkward fit in this definition, and the security and assurance of paper-based information isn’t covered at all.

(And if “cybersecurity” now includes “restoration of” computer-and-communications infrastructure, wouldn’t any IT service technician be considered “cybersecurity personnel”?)

Are Paper Shredders Really a Cybersecurity Solution?

Sticking your head into any office at the Pentagon will reveal that information in the DoD is still recorded, shared, and stored in paper and other non-cyber media. (You could even argue that information on CDs and USB drives wouldn’t be considered “cyber” when these devices aren’t connected to a network.) The DoD also still contends to some degree with information in legacy media such as acetate film and magnetic tape. These non-cyber documents, records, and media require measures for security and assurance that don’t involve the cyber domain.

The idea of assuring and securing paper-based information may seem quaint in 2014. But paper is still a widely used medium for disseminating information within the defense community. (It certainly isn’t considered “quaint” by DoD and VA healthcare officials who deal with stacks of unprocessed paper files holding sensitive medical and personally identifiable information.)

That’s why DoD instructions for protecting classified information continue to specify how paper documents should be dated, marked, protected per the assigned classification level, and destroyed by authorized means when no longer needed. And it’s why DoD continues to specify physical security standards of storage facilities for paper records and other physical information media.

Most professionals in this field would agree that these measures have nothing to do with cybersecurity. These measures are part of information security (ensuring that the information in these media is protected from creation to destruction) and assurance (validating that the information in these media is authentic, trustworthy, and accessible).

Curiously, DoD’s previous definition of cybersecurity was even more sweeping and less precise in its inclusion of “the security of information in all its forms (electronic, physical)” [emphasis added]. However, in finally aligning its information-risk-management process with that of NIST and the IC, this was DoD’s opportunity to conform its definition of cybersecurity with theirs and leave its perfectly valid definition of information assurance intact.

Instead, in its haste to retire DIACAP and embrace the RMF, the DoD seems to have orphaned the discipline of securing and assuring information in every media or environment, including non-cyber. That could cause major concerns over time.

Conclusion

Fretting over the definition of information assurance vs. cybersecurity may seem like a minor point. But it’s been said that “a choice of words is a choice of worlds.” It’s important that the terminology we use in our profession truly reflects what we do in our work. It helps avoid conflict, violated expectations, inefficiencies, and gaps in the measures we put in place to assure both information and information systems.

My hope is that the powers­-that-be will soon recognize and change this decision before too much confusion ensues.