A tool you might not see mentioned often in security literature is imagination. It isn’t very technical, and it isn’t very procedural, but failing to employ your imagination can often lead to disaster.
If I had only believed I could win
My favorite story is that of a young businessman who wrote about his early hobby of sailing. He went up against the “big boys” in a race off Australia. During the middle of the race, he was further out than the rest of the sailors and he thought he should go closer to their path, nearer the shore. Later he realized that if he had simply taken the water temperature with his thermometer, he would have seen that he was on a faster path and finished much earlier. He notes “If I had only believed that I could win, I would have.”
Also consider “The Empire doesn’t consider a small, one-man fighter to be any threat.” -— Rebel General Dodonna, shortly before a small, one-man fighter destroys the Death Star.
Some failures of imagination are more severe. Do you remember one of our leaders standing in the rubble of New York buildings saying “Who could have imagined this would happen.” Well, the people who did it is who.
Defense by presumed motive
In talking to teams about how to build defenses, I often hear “Well, if the attackers get into one of my servers, the database is encrypted so they can’t get anything.” There are several problems with this thinking. First, if attackers can get into a server, you probably need to presume serious compromise. There is likely a way for them to find the keys that encrypt the database.
From the standpoint of imagination, it presumes that attackers are after the one specific thing that you are worried about–a very important asset. What is likely valuable to the attacker is control at any level of the server, not just the main jewels.
In doing GDPR review, it’s clear that most companies have significant personally-identifiable information in places they may not realize, and further that this information is shared with other entities in a way that isn’t tracked.
If this data is not on your list of key assets, it is easy to overlook that this might be a target.
It is likely true that there are other internal targets–large and small–that can be useful to attackers. Discovery of those can be used as jumping off points for further “exploration”.
What could possibly go wrong
I have stickers that I like to share when I meet people or when someone leaves something unlocked. It is usually met with humor, but the underlying message is serious: The “What Could Possibly Go Wrong” mindset is a good one to have when thinking about the security of your software, your AWS configuration, or your (unlocked) rack of building keys in the subbasement. I once encountered an elevator control panel that swung open to reveal the internal wiring. I placed a sticker there to help the repairman. A colleague left their wallet in a position highly visible from the hallway, just inside the door. I carefully opened the wallet and placed sticker inside, hopefully conveying the proper message.
While these stickers are usually seen as humorous, they illustrate an attitude that I think is necessary as a defender of information assets. An unlocked terminal, which is often the target of these stickers, can be an attacker’s gateway to the rest of the network or cloud resources.
This is useful to identify specific threats and can also be a useful message to people who are not security-aware.
I’ve worked for companies that make a serious effort in their hiring efforts–to recruit and hire folks across many cultures, dispositions, genders, and backgrounds. But once hired, the internal culture is essentially monolithic, with not much out-of-the-box thinking. Being all on the same page is important to the mission of the company. From a security perspective, any company with information online (and who doesn’t conduct business in one form or another these days?) is facing risks that are way out of the box. A recent widespread attack found thousands unprotected databases, removed them, and replaced them with a string containing “meow”. No reason is given, and there is no evident purpose. Who could have imagined.
Thinking out of the box
How do I increase my imagination, you might ask.
A twitter account Bad Things Daily, which isn’t actually updated daily, has a litany of things to stimulate you imagination and keep you up at night. These can be fodder for tabletop exercises. The latest scary one is “The company managing your MDM has unenrolled your endpoint agents and walked away. Managed FileVault keys are now inaccessible.” Your endpoints are now no longer under your control.
Source of ideas
In addition to reading scary twitter feeds, a little time spent in reading ideas outside your immediate responsibilities can feed your imagination. I’ve always felt that science fiction can lead to a wider perspective.
The systems that you are asked to defend are under attack, often from sources unknown, by methods that may not be immediately evident. We need many tools, including logging, monitoring, red-teaming our own infrastructure, but also imagination to be open to anticipating and recognizing attacks that are unusual.