I like the idea of sharing knowledge about attack vectors and best practice for the defense against cyber-attacks across industries. But what is the proper scope for action?
John Colley writes:
‘Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programs they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.’
I am discussing such issues for months now. My advice is crystal clear:
Before you start sharing information about your internal systems with whatever partner, carefully consider
what information and what level of detail is required, and
how the information must be protected.
Every available information about your internal systems will support attackers in finding vulnerabilities in your systems. Remember: It’s merely a matter of time before cyber criminals break into your company network…
Too many details increase the attack surface of your company!
Every data breach tells a story. Since only the attacker has the detailed story board we are left to guesswork about the plot of the cyber-attack. But from the sometimes weeks later published really interesting news about a cyber-attack we could try to create our own rough storyboard.
The lessons learned from the plot of a cyber-attack
May show the weak points of our defense system, or
May support us in evaluation of our defense system and the residual risk we take, or
May support us in developing appropriate counter measures.
I’m in particular interested in the beginning of the story (the initial attack vector). And of course in the development after gaining access to a company’s network.
In the next weeks I like to develop a plot of the Premera cyber-attack. I would be pleased if you would join me in this journey. Suggestions and comments are highly welcome.