Security Matters: Always Assume That Things Are Worse Than They Appear
When it comes to security, things usually aren’t as bad as you think. They’re worse. There’s a very good chance that the alert your security team just received is the real deal and that the attackers behind it are not only inside your business, but have probably have been for some time. As the late Intel executive Andy Grove suggested with the title of his most popular books, “Only The Paranoid Survive.” Although Grove was talking about business strategy, this notion is equally applicable to security.
Always be suspicious.
Ask lots of questions and keep digging until you really understand what’s going on.
Then dig some more.
There’s always more to security situations than meets the eye. The deeper your understanding is, the better your chances will be of successfully identifying the underlying issues and addressing the problem.
Any time that there’s a security alert or incident within your business, don’t consider the situation resolved until it has been fully investigated. And because it’s often not possible to prove that a particular activity is malicious, it’s important that you continue to assume malicious activity until you can prove it isn’t.
That means taking preemptive action such as:
- Completely wiping and re-imaging any machines you suspect have been compromised
- Changing user credentials and monitoring accounts
- Undertaking low level monitoring including process monitoring and network packet analysis until you are certain that there’s no longer a threat
Even if the activity has already stopped, collecting more granular information about it will assist with analysis and response when the attackers are detected again. That’s an important point to let sink in: Just because suspicious activity stops for a period of time, that doesn’t mean the attacker has left.
Successful startups have a sense of urgency around getting their products out the door. That’s a good thing. However, when you’re reviewing new features for security issues, or reviewing existing ones, you have to avoid the temptation to “just ship it” without doing a deep security analysis.
If during a review something strange is found in the code, the machine learning model or the user interface, you can’t just overlook it for the sake of shipping your product on time. When product teams take shortcuts like these, it can lead to huge disasters later on. Plus, it’s usually much harder to fix the ensuing problems retroactively than to just do it right the first time around.
So make sure your teams do a deep dive on all security investigations and security decisions. And don’t allow yourself to become complacent about it. Your attackers will always be trying to go deeper — it’s up to you to stay ahead of them.
Always Ask “Why?”
Make it part of your company culture to always ask why to help uncover the root cause of a situation. That means continuing to ask why every time an event occurs or something new happens and asking again and again until you get an answer. And while this inspiration for this technique, Toyota’s highly successful quality management programs, suggests asking why five times, in the context of security that should be the bare minimum.
It’s also important not to be selective about where you go deep. Your attackers won’t be. Don’t try to anticipate where you might get attacked. Instead, apply this principle across your entire company and your full product stack.
If that’s too much work, then your environment might be too complicated. Start to simplify your architecture and business so that you can rely on fewer things, all of which you’re able to go deep on. For example, all user authentication for your applications should be done via a common service and that service should be investigated internally and by trusted third parties as well as with bug bounty programs. Look for opportunities to build on the shoulders of giants with a reputation for a robust approach to security (such as Amazon and Google), and keep looking for ways to simplify your environment.
Lest We Forget
Security attacks are almost always worse than you think they are. They have the potential to do far more damage and the attackers responsible for them have many more ways to infiltrate your business than you probably realize. What this means is that you have to be vigilant and you have to aggressively pursue every avenue to ensure that your business is not only secure, but that you’re also one step ahead of your attackers.