"What is the perfect product?"
"How do can you be completely secure?"
"What website can I go to, that will give me information on the exact solution I need?"
Yes, I get these questions often, and really they make sense why someone would ask. As an outsider to the cyber security community, you might see these brilliant 'hackers', constant breaches, and simply feel at a loss of where to begin.
Then, if you search online, it looks like 100% secure is such a thing. I mean, there's tons of seals so it must exists...
Reality is, security is a complex topic. I would never expect someone to just jump into it. What's more, Security by Design is the ability to not only master a subject, but then also think of "how can this be exploited?" That's why there's security experts who specialise in a specific area and can explain, in plain language, how to apply security principles to your situation.
I realise everyone is looking for the perfect solution, that fits all scenarios, such as Proton Mail's April Fool's Encryption notice. Be aware, however, if you want one solution and security is only as strong as your weakest link.. you're asking for essentially unusable security.
How then, do we approach security? Hire experts that understand you, your business, and what it is you're trying to achieve.
As an ethical hacker, I don't just start #HackingAllTheThings at an organisation. I go through a proper cycle; identify the scope, decide on the reporting timeline(s), and only after knowing the exact requirements, do I break things. I align the recommendations with industry recognised standards, and most importantly prioritise these based on the organisation.
As a consultant, I have often been called in after an audit or pentest of some sort has taken place, because whilst the reports are usually detailed, the organisation ends up with an exceptionally long list of vulnerabilities without context. They may not know how likely these vulnerabilities are to actually be exploited, or what inherent risk level the organisation may have, and therefore what level of maturity their security programme needs. This leads to a lack of understanding of prioritisation. Which in turn, ends up with an unbalanced solution, that may spend too much in one area, but not enough in another.
I often hear the 'everything's broken', I see the defeat in the IT ops team, and I recognise the frustration of the entire organisation. So let's look at priorities.
"[When prioritising security controls, I] like to tell clients that they need to know what will hurt them and what will kill them and then they can figure out their relative order of priority." One of my colleagues, David Prince explains.
Realise that, you cannot be 100% secure. I repeat, nothing is perfect or will ever be. Perfection is not, and never will be, your goal. The goal to security, is being one step ahead.
Attacked by credential harvesting Phishing? That's ok, our systems have multi-factor authentication.
Insider threat? You practice the principle of least privilege, have effective logging and monitoring in place, and a trained incident response team.
The goal is not to win every battle, but being prepared and having the ability to minimise impact, is how we win the war; the true goal to cyber security is being a step ahead.
Still struggling with how to apply security into your organisation? Then ask for help! It might be more effective to have a Cyber Security Maturity Assessment done first. Also, did you know, you can ask penetration testing firms what methodology they use. You can ask for CVs, and even credentials; make an informed decision.
One place that may be helpful, I released a piece on Ideas for Defining Testing here, if you go with an organisation, ask for their definitions and understand what services you're actually procuring.