Our colleague, Dr. Vladas Leonas, GAICD, FACS, FIEAust weighs in on Guest Post Friday.
As many of us a watching FIFA World Cup 2022, with the Quarter Finals upon us, I thought that it might be appropriate to talk about Football.
Consider the following scenario. A center forward has possession and leaves the opposing half-backs and full-backs floundering. There is only the goalkeeper between them and the goal to prevent them from scoring and winning. If the goalkeeper is good, their odds to prevent a goal from being scored are reasonable. In football, the big prize, and big money goes to those who can score.
Let’s make this scenario a bit more complex and harder for the goalkeeper. Now, the opposing center forward and two midfielders are in front of the goalkeeper. The situation is a tad more difficult for the goalkeeper, but there is still a chance, albeit reduced, for the goalkeeper to prevent the opposition from scoring.
Making this scenario more hypothetical, let’s give each of the attackers their own football to shoot at goal. In this scenario, it is almost impossible for a goalkeeper to stop the opposition from scoring.
Now let’s imagine that there are ten attackers, each with their own football in front of the goalkeeper. In this scenario, there is literally no chance, no matter how good this goalkeeper is, that will prevent the opposition from scoring.
Why are we talking about Football here? Because the situation is very similar to protecting ICT Assets and Networks, especially for any large organization.
The complexity of ICT ecosystems in large organizations creates the very last scenario with little, to no chance of preventing the opposition from gaining ACCESS, (scoring).
As I have seen in numerous organizations, the complexity of ICT ecosystems has become so high, that no single person understands end-to-end interrelationships and interworking of all the components. A single goalkeeper to defend against a myriad of attackers will never end well.
I would also dare to say that current trends of moving away from monolith all-in-one systems towards microservices, cloud-native, containerization, etc., simply increase the potential number of attackers (and footballs) and the threat surface and landscape. It is far too easy to unknowingly remain exposed, vulnerable, and exploitable.
We MUST Level up the field.
If we fail to implement the right DNS, PKI, and Domain hygiene that Andrew Jenkinson regularly talks about, as well as, ZTA that is advocated and promoted by Steve King and others, it is a guarantee, a fait accompli that various components of the ICT ecosystem will be exposed to many attackers. Each attacker with their own football and the goalkeeper blindfolded and their hands tied behind their back… Be it a Not Secure Domain, an Insecure DNS, Insecure Server, Software Bugs in a legacy piece of software, supply chain attack, compromised credentials, or something else – it does not matter, the exposure is there and conforms to Rumsfeld’s theory of Unknown unknowns.
Looks awful, doesn’t it? So, what is the answer? The answer is Simplicity!
Basic, fundamental security as listed above and the rationalization of ICT ecosystems back to manageable levels of complexity and we will keep defending against multiple attackers, each with their own football. It also helps if the management appreciates that a game is in play…
So, focus on the Basics and rationalizing and simplification of ICT ecosystems!