Lessons from the attack on Lockheed Martin

Regardless of who got access to what (if anything) in the recent reported cyber attack against Lockheed Martin, this incident contains valuable lessons for everyone. Here are some key principles to remember. I appreciate that these considerations are far from easy when you’re wrestling with budget cuts, unconvinced management, and hostile investment appraisal functions. But they are vital to your future survival.  

Firstly, if you have big secrets to protect then you need more than one level of strong protection. That’s because any security system can break down (for various reasons) and you can’t afford to be without protection. A second layer of weak protection is not sufficient. If you can’t achieve this, then consider taking your valuable assets off the corporate network (if you possibly can). This might sound extravagant but it’s nothing new. I recall going through the same arguments thirty years ago.  

Secondly, don’t aim to do what everyone else does. Don’t follow established “best practices”. They are not enough to combat today’s threats. Organizations that are good at identity management are few and far between. Most are littered with vulnerable authentication systems, insecure platforms, and ineffective provisioning processes. Do what is needed. Don’t follow the herd.         

Thirdly, try to be imaginative. Don’t be afraid to use controls that others ignore. For example, device authentication, based on trusted platform modules, is a powerful layer of control that is relatively easy to implement and manage, yet rarely exploited. Don’t be restricted to traditional solutions or perfectionist requirements. It’s better to combine several less-than-perfect solutions than aim for an ideal, single layer of security.   

Fourthly, if there is any suspicion that your authorisation system might have been compromised, then address it immediately. It’s your first and most important line of defence, not just another control. If it’s breached treat it as a company crisis. Keeping your fingers crossed is not an option.

Finally, think about having a catastrophe plan for major failures with massive business impact. This is more than a conventional business continuity plan. It’s a worst case situation. It’s not about recovering from random outages. It’s about smart solutions for extreme situations: large scale losses, so-called “Black Swan” events. This is a new science, or perhaps art.  

As we enter the Information Age, we will face increasing levels of volatility and leveraged impact. It’s the inevitable consequence of the power of networks and the accelerating nature of business. You can’t manage security today with industrial age tools such as quality management systems. The speed of defence has to keep up with the pace of attack. Unfortunately, however, we are all a long way from achieving this.