Data Privacy requires a 100% effort
If one link can break the chain, every link must be verified. When I disassemble this, I find there are two parts to this. First, a chain is only as strong as its weakest link. Second, if you want to find the weakest link, sampling is not a wise strategy. You must check them all. Examples abound.A single unpatched server amongst 100s
Let’s take the most significant and one of the biggest ones. Equifax in 2017. Sensitive personal and financial information of almost 150 million individuals was compromised making it one of the single largest incidents of identity theft. Here is a quick snapshot of what happened. A vulnerability was discovered in Apache Struts (CVE-2017-5638) and a patch released by Apache in March 2017. However, this patch was not applied for two months at one system of Equifax – Dispute resolution website servers. These two months were enough and the fortress was breached. The intruders went undetected for 76 days before this patch was applied and the breach plugged. In these 76 days the intruders gained access to 48 separate databases across 34 servers located in 20 countries. It was game over. The largest breach had taken place because of one unpatched server. 100% verification of servers would have prevented this Security Breach and preserved Data Privacy. Patch (and security) verification must be universal. It cannot be sampled. If one link can break the chain, every link must be verified.This is not a one-off Occurrence
Breach of Equifax in 2017 is not a one-off occurrence. We seem to read of hacks with a reasonable regularity. Most of the time these hacks and breaches are not high tech. Technically speaking most hacks are not very hi-tech, they are simple, and as we see with hindsight, could have been prevented if already established policies had been followed and verified. Like the one at Knight Capital group in 2012 due to one server out of eight that did not receive updated code. This caused a damage of almost half a billion dollars! Or take the case of Capital One in 2019 where it was one misconfigured server out of 100s that caused the breach. Or the Okta Support System breach in 2022 when attackers gained access to customer data because of one weak workstation in periphery of the Okta infrastructure. Sampling was not enough because Okta had a pretty strong security structure, but the vulnerability existed in the periphery of the Okta infrastructure. I am a history buff, when I hear of such incidents, I cannot help but be reminded of the fall of Constantinople. The Theodosian walls that were built to protect and had protected the Byzantine Empire for 800 years fell in 36 hours after a 53-day siege by the Ottomans because of one weak section of the wall that had not been strengthened.The weakest link is often not the most technically complex component — it’s the least governed, least verified, or least monitored one.
Will you accept these answers?
Is everything backed up? Almost everything is.
Will our Business Continuity plans work? Have they been tested? Yes, they will surely work. There is no need to test them.
Are all the servers patched with the latest security patches? Most of the important ones are.
I am sure you will not.
As a CxO, when the reputation as well as the continued viability of your organization depends on keeping your digital infrastructure secure, will you accept these answers to your questions?
I am sure your team has good intentions when they claim they have done the tasks required. It is your responsibility to verify their intent. You must go beyond demonstration of intent to demonstration of execution and verifiability.
You must verify everything.
How do you Verify @ Scale?
Strengthening your security posture cannot be an after-thought. You must build it into the DNA of all that you do.
IMO there is a 4-pronged strategy you could use: Prevent. Detect. Monitor. Test.
Prevent
You must put Policies, Procedures and Workflows in place to make sure that undesirable behavior or tasks are not allowed to proceed ahead and are nipped in the bud. Some examples of preventive measures are prevention of deployment of servers or workstations if they are not configured as per standards, and exceptions, where required have the highest level of sign off; or, creation of users or roles without Multi Factor Authentication.
Detect
Sampling 5 servers does not tell you anything about the 6th. See what happened to Knight Capital group. So, you have a have a strategy to automate to enable a 100% verification. There are various interesting approaches at your disposal including leveraging AI to detect anomalies.
Monitor
One potential downside of 100% verification is a monitoring overload. You must monitor what you are verifying. Therefore, you must have a strategy to Monitor by Exception. This is yet another place where you can effectively leverage AI to enable monitoring by exception.
Test
Even if you have enabled a 100% verification strategy using automation you have to maintain human supervision to ensure that everything is working as designed and intended. You must test your controls by simulating situations and testing them. There are various strategies to test. Red teaming, Reward programs, Continuous simulation, are some of them.
I will be writing about these 4 aspects of Verifying @ Scale in forthcoming blogs.
If one link can break the chain, every link must be verified.
