This article is part of our Essential Guide: A guide to threat management

Know your cyber enemy inside and out

Is there a different approach that can help stem the tide of cyber threats? Look to Sun Tzu's “Art of War”, writes Matt White

We are at war. Without a formal declaration of intent, we have been fighting on a virtual battlefield for years and it is not going in our favour. Consumers and businesses alike are suffering from guerilla-like assaults on a regular basis, and every morning the news is filled with stories of losses, breaches and insider thefts from well-recognised brands such as Sony and Target

Despite all the hype and publicity, many do not realise the extent of the battleground encroaching on our daily lives until it affects them directly, while those who do are employing “traditional” approaches such as implementing new technologies to strengthen the perimeter or add layers of automated security. 

However, that paradigm is missing the vital insight that with each new piece of technology comes additional complexity to an already exposed system. The greater the complexity then the greater the possible vulnerabilities. Imagine trying to protect an ever-expanding balloon from a single pin popping it. At first it's small, but as it expands there is more to protect and it gets more difficult.

So what can we do? Is there a different approach that can help stem the tide? Where can it be found?

The good news is there is a different approach, but surprisingly (for some) it is not found in the realm of cyber. Instead focus on the “war” of “cyber war” and look at the foundational military strategies over the past couple of millennia.

Arguably the most noted military strategist of all time is Sun Tzu. In around 500BC he wrote The Art of War, a text that has been studied for the past 2,000 years. His views on everything from troop placement on the battlefield to intelligence gathering would lead countless generals to victory. But how do views written over 2,000 years before computers existed help in a time when virtual begets physical?

Read more about insider threats

The answer lies beneath the surface. In his third chapter, “Attack by Stratagem”, he says: “Know your enemy and know yourself, find naught in fear for 100 battles. Know yourself but not your enemy, find level of loss and victory. Know thy enemy but not yourself, wallow in defeat every time.”

Most information security programs are fully aware of their enemy. Threat actors: hacktivists, organised criminals, nation states and opportunists are well known and documented, so you would think you are well on the way to victory. The problem is many companies and individuals stop there. Their focus resides on the outside, trying to stop the enemy getting in. But what about the inside?

Think back to Sun Tzu's teachings “... know thy enemy but not yourself, wallow in defeat every time”. In other words, if you don't look at the threat from the inside then you are fighting a losing battle.

In cyber terms, a key aspect when looking at “yourself” is identity and access management (IAM), arguably the oldest of the security arts. In a nutshell, it deals with making sure the right people have access to the right things at the right time. The “things” could be information, systems, buildings or even people. In fact, it deals with anything that has a value to one or more people at a time and allowing or preventing access to it.

By now, it's possible to see that not knowing who has access to systems and what they can do with that access is a fundamental flaw in a security strategy. Yet time and time again it is the basics of “user management” that leads to companies failing before they begin, as no matter what focus they put on the “enemy”, they are vulnerable to being blindsided by something on the inside. 

It's worth noting that the “insider threat” is not necessarily a “rogue administrator” or “Edward Snowden”. It could be a loyal member of staff or contractor who fell fowl to a social engineering exercise and left the company open to attack because they had more access than they needed.

Improving user management does not require the purchase of new technology, not should it cost millions of pounds to make improvements and reduce levels of risk

Matt White, KPMG

When changing job role, users often have additional access appended to their profile, while the removal of their old access is frequently overlooked. Likewise, when leaving employment they often don't have their account revoked in a timely fashion, once more leaving a vulnerability that is relatively simple to fix.

So how can businesses benefit from Sun Tzu’s wisdom?

Luckily for all, the foundational steps to help reduce the risk of a security incident by “knowing yourself” are simple:

  • Understand at a business level what access is required to do a job, e.g. ask questions such as “how much access do they really need?” and “do they need to access those files?”
  • Understand the dangerous (toxic) combinations of access to prevent potentially fraudulent activity.
  • Regularly review and check who has access to what.
  • Amend/revoke access when someone moves role or leaves.

Improving user management does not require the purchase of new technology, nor should it cost millions of pounds to make improvements and reduce levels of risk.  

Although achieving a best-of-breed system will involve finding the appropriate balance of people, process and technology for your needs, simple changes to the fundamentals of how a user is created, managed and archived can have tremendous widescale effects on an enterprise for a relatively low expenditure of time and money.

Matt White is a senior manager at KPMG’s Cyber Security practice.

Read more on Identity and access management products