Security Experts:

Hiding in Plain Sight: Why Your Organization Can't Rely on Security by Obscurity

Attackers Don't Examine Market Size When Deciding Whether or Not to Target an Organization or a Person

Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme.  When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services.  Choosing the components of a solution is important, but can only be done once an approach is well understood.  This comes much later in the discussion.  Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.

As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk.  As I’ve discussed previously, this is one of the most critical components of a mature and successful security program.  This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with.  What was different on this trip, however, was one response I received repeatedly: “We are in a small market.  No one will attack us.”  This surprised me quite a bit.

Cybercrime Indeed, I have heard this line of reasoning many times in the past.  What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017.  It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.

Sadly, market size isn’t the only way in which people lure themselves into a false sense of security.  Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.

Organizational Size

Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar.  This line of reasoning is reminiscent of the old “security by obscurity” way of thinking.  As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.

Attackers have shown time and time again that they care about one thing and one thing only: the location of the prize they are after.  It doesn’t matter if that prize is money, information, disruption, or any of the other ends that motivate attackers.  If an organization has what the attackers are after, they will go after it. It doesn’t matter if the organization has 10 employees or 10,000 employees.

Geographic Isolation

There is a somewhat natural tendency to feel safe and secure due to geographic isolation.  If we look at the history of kinetic wars and the kinetic battlefield, it is easy to understand why this is the case.  But this sense of security does not and should not translate to the virtual world.

Whereas to commit a physical crime in a given city, I generally need to be in that city, this is obviously not the case in the virtual world.  I can sit on one side of the world and commit cybercrime on the other side of the world.  Similarly, I can just as easily attack targets in places that may be geographically isolated as I can attack places that may be just around the corner from me.  Unfortunately, there is really nowhere to hide in the virtual world.

Language Barriers

There are many languages that a relatively small number of people speak.  In the countries that speak these languages, people may be inclined to think that they are not at risk.  For example, people may think that because all intellectual property, customer data, employee data, or other sensitive data is written in a language that is not widely spoken, then no one will ever be able to target, navigate to, and exfiltrate that data.  This is another type of “security by obscurity” that is a dangerous way of thinking.  Unfortunately for those native speakers, this could not be farther from the truth.  Attackers have shown tremendous creativity and resourcefulness when it comes to gaining access to the information they are after, regardless of the language it is written in and how many people speak that language.

Market Size

As I mentioned above, being in a smaller market does not protect an organization from attack.  No matter how small the market, there will still be people, organizations, and information that attackers will want to target.  To be quite frank, it doesn’t much matter where information resides nowadays.  The fact that it exists in an interconnected world puts it at risk.  Attackers do not examine market size when deciding whether or not to target an organization or a person that has a specific piece of information they are after. They simply go after it.

My purpose in this piece isn’t to cause panic or present a doom and gloom scenario. Rather, I’m hoping that the clever reader will see in this piece an opportunity to help educate management, executives, the board, and others of the need to approach security strategically, regardless of organization size, geographic location, spoken language, or market size.  Any of the points I’ve raised above can be countered and mitigated by approaching security as a risk mitigation exercise complete with a robust security operations and incident response capability.  No one should rely on security by obscurity and expect to fly under the radar of the modern attacker.  It’s just too risky.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.