Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid / Gideon@AGSgo.com
What is a strategic security analysis (SSA) when it comes to payments and banking? It is essentially a matrix where each row identifies a credible attack scenario and each column lists a counter-action available to us. At the intersection of each column with each row is spelled out the impact of the particular counter-action on the particular attack scenario.
The impact, measured in dollars or in some ordinal units, reflects how helpful each counter-action is towards each likely attack scenario. The attack scenarios are further associated with a “probability-to-occur” estimate, and the counter-measures are associated with a cost figure. Given this strategic security matrix (SSM), it is a matter of using a mathematical formula to optimize the security of the system.
This formula can be bought from AGS or any other provider. That’s the easy part. The real challenge is, first, to identify the likely attack scenarios, and second, to identify countermeasures. Both are a matter of imagination. If your security matrix does not specify the attack scenario used on you, it also does not specify how it could be stopped.
The hackers keep thinking, and as a result, they keep coming up with ever-new attack scenarios. Security officials tend to be so busy implementing yesterday’s plan that little time is left to out-think the hackers and decide which new attack scenario one needs to defend against today. A strategic attitude towards security will guide the defenders to constantly ask themselves what new vulnerabilities have arisen in their system as it improves and grows, and as it is constantly modified.
This strategic attitude will also identify expensive countermeasures that nonetheless have little impact on the most credible attack scenarios, and hence should be discounted. I have spotted situations where a backup database is associated with elaborate (burdensome and expensive) access control, despite the fact that its content is encrypted with the same cipher that is used to send data over the Internet. On the other hand, historic transactions were downloaded to offline devices that were scattered around the office where anyone could have copied them and gained access to buyers’ durable data. In another example, a certain financial company implemented a very rigorous version-management control to protect against hidden malware, but also allowed for “call” functions of a third party that outsourced its code to eastern Europe. A systematic strategic review would have caught this vulnerability.
I for one strongly recommend the use of the strategic matrix. Security officers should challenge everyone in the organization to come up with new entries for the rows (attack scenarios) and columns (countermeasures). In hindsight, when analyzing a successful attack, one is likely to realize that some “nobody” in the organization suggested that attack, or suggested a good stopper to it, but the powers that be pooh-poohed it. At least that “nobody” will gain some credibility moving forward.
The new class of attacks we see in the field involves a very innocent-looking compromise of an insider, who does not realize how damaging his release of some mundane piece of data really is, and a partnership between a local mastermind hacker and operating hackers from a distant country where the FBI is powerless. We also see more attempts at gleaning the spending habits of people of interest than we see efforts at stealing money.
What’s really scary is the constant increase in sophistication and elaboration. Our only hope is to out-think our adversaries, out-imagine them, but that is quite a challenge. Who wants to write a monthly report that says: “I spent the entire month thinking… wrote nothing, built nothing, I was just pondering…” Contrast this with what apprehended hackers say about how they came up with their neat trick: “I was thinking about it for half a year.”
No amount of hardware, software, policy, or regulation will substitute for out-thinking the bad guys. The purpose of a strategic framework, as indicated here, is to help us carry out our security duties effectively and durably. The worst mistake that we see, even among big-name companies, is the attitude of “once and for all”—the idea that we are ready to spend big, install a perfect wall, and forget about it.
There is no “once and for all” solution. And the stakes are huge. If we forget to think as hard as the cybercriminals do, we are going to lose the cyberwar. Like it or not, we have to think security, strategically, if we want to have security, durably.
