Introduction
In the first and second parts of our series on information security, we posed two key questions:
We now come to the most-important question:
- Where should this information be?
Once you can answer this, you will have one of the most-powerful information security measures available.
Information has a nasty habit of flowing everywhere like water. Just like water, the uncontrolled spread of information will lead to leaks. In our houses, we confine water to tanks (when at rest), pipes (when in motion), and plumbing fixtures, such as taps (when in use). Rather than waterproofing everything we own or seeking to make each room watertight, we focus our efforts on preventing leaks from these tanks, pipes, and fixtures. Furthermore, we do not have more of each of these than we need.
This is exactly the approach that we need to adopt in information security. We need to reduce to a minimum the locations (attack surface) and time (attack window) information is vulnerable, rather than waste resources on unnecessary security measures.
Information has a nasty habit of flowing everywhere like water. Just like water, the uncontrolled spread of information will lead to leaks.Click To TweetAttack Surface
There are two key elements that dictate what an attacker can do in relation to your information: the attack surface (space) and the attack window (time).
The more copies of the information that exist, the greater the attack surface and the more opportunities there are for an attacker to be successful. To limit this, you can restrict where your information is located and what forms it takes. In the first article in this series, we recommended securely destroying low-value information with the potential to cause significant harm. This immediately reduces the attack surface with minimal impact on your organisation’s ability to operate or achieve its objectives.
At the next level down, each information asset will have its own attack surface. This is composed of all the forms, locations, and states it is currently in. An adversary will not care how or where they compromise the information, and so will attack it where it is weak not where it is strong. The greater the attack surface, the greater the chances of a weakness. Reducing the attack surface by limiting the forms, locations, and states of information to what is actually necessary, will result in fewer weaknesses for an attacker to exploit. (Revisit the second article in this series for a reminder of forms, locations, and states.) In addition, the burden of implementing security measures will be greatly reduced.
The attack surface of information will not be constant, as new copies are made or destroyed. Your organisation’s attack surface will also not be constant, as you may acquire new valuable or sensitive information assets or securely destroy ones that you no longer need. The attack surface evolves over time in both cases. And, in reality, this evolution usually means that it is increasing rather than shrinking.
Attack Window
The attack window refers to the time when each component of the attack surface is vulnerable.
This can be illustrated by an example from many people’s schooldays. While at your desk, you write a note to someone else in the class. You fold the note into a paper aeroplane and throw it to your friend, who unfolds it and reads the message. The information is in use when you write the note and when your friend reads the note. It is at rest on your desk before you throw it and on your friend’s desk before they read it. And the information is in motion – literally and figuratively – while the paper aeroplane is in the air.
Now consider the opportunities for an adversary – the teacher in this case – to compromise the message. The teacher will not see anything if they look at your desk before you write the message or after you throw the paper aeroplane. If they look at your friend’s desk before you throw it, they will not see anything either. Finally, if the teacher’s back is turned when you throw it, they also will not see anything. It is clear that there is a window of opportunity on each leg of the journey for the teacher to compromise the information; however, outside this window, there is no opportunity.
If you keep a copy of the message on your desk or you send the message in multiple paper aeroplanes to friends across the classroom, you not only increase the information’s attack surface but you also increase the attack window. By limiting the time the information is in a form, location, or state to what is necessary, the fewer the opportunities available to an attacker to compromise it.
Conclusion
Information security is difficult. The more locations the information is at and the longer it is there, the greater the chances of compromise and the more resources required to secure it. At the same time, information is essential to achieving your mission, and so cannot and should not be removed completely. So, a minimum footprint is inevitable. This minimum footprint is where the information should be.
Reducing the attack surface and attack window of information is essential as a security measure in itself. It will also likely decrease the number of other security measures required and increase the chances that those measures will be effective. In the next article, we will consider the goals of those security measures and the tradeoffs that exist between them.