I have been reading a lot of the posts that have been written about the OPM (Office of Personnel Management) breach and watched the hearing, and think that we are getting stuck on whichever flavor of security we lean towards. “Well, if they had encryption, this wouldn’t have happened.” “Well encryption wouldn’t have helped in this case.” “If only they used Linux then they would be fine.” If only X, Y, Z. The issue is we (I say we, but if there are any non-US citizens reading this, I mean the US) have adversaries that don’t care what security tools we use, they will find a way in. Maybe even through non-technical means, like human agents. Discussing the OPM breach like it was just another company being breached is a mistake. The adversaries they are facing are very smart, and very persistent. Now, saying that, there were a bunch of big screw ups that left them wide open to the breach.
I was reading a post about the OPM hack on Bromium’s site and I found a statement at the end interesting. “If a security vendor tells you that you will be breached, what are they even selling you?” They are trying to sell you awareness that a persistent, and aggressive adversary will find a way into your environment, and that you should make it as difficult as possible for them and shorten the time to detection. Telling someone that they will always be protected from a breach as long as they use a specific solution is silly. I do like that the author mentions breaking through the status quo, but I think that is what admitting you have a serious adversary and the likelihood of them getting past whatever security you put in place is doing. Through that awareness you can start focusing on making it more difficult, so that your adversary has to spend more resources to gain entry, and focusing on detection, so that your adversary is in your environment for as little time as possible.
“If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu
“Know your enemy!” – Rage against the Machine
