815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.

net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.









2014 WHITE PAPER


CYBER SECURITY:

PLAYING DEFENSE ALONE IS NOT ENOUGH



JUNE 2014











Copyright 2014 Empirical Solutions, LLC. All rights reserved.




815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.


Executive Summary:

Despite already enormous and rapidly growing data security budgets, CEOs and CSOs
face the gut wrenching reality that their corporations are no safer today, as evidenced
by the continuous stream of data breach headlines. Fortunately, there are things that
the CEO and CSO can do to significantly reduce their cyber risk exposure. The solution
starts with recognizing the limits to playing defense. The solution also depends on
recognizing that one of the biggest vulnerabilities goes unaddressed in most
corporations: Social Programming. Fortunately, both can be addressed by merely
reallocating a small portion of their current budgets.













815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.

June 5, 2014

A STRONG OFFENSE IS THE BEST DEFENSE

Someone once said that, There are three things that are certain in life: death, taxes
and change. You can't avoid change, it's mandatory; progress, however is optional.

As we will demonstrate below, playing defense in cyber security is a losers game.

And right now, the hackers, professional thieves and malcontents are winning just
scan the headlines over the last year and they prove the point, despite corporations
spending more than they ever have on all the latest shiny objects, software solutions
and lucrative service contracts for installing, implementing and integrating these toys.

What do we mean by playing defense? In the corporate context, all too often
defense means being reactive. For example, the IT team learns that the current
hardware or software or configurations of one or both are bad because there is a
new virus or new type of malware that defeats the current set up. Therefore, in order
to defend the corporation, the CSO or head of IT, or both, go to the CEO to ask for
more budget, so they can buy the latest gizmos being flogged by well-educated and
persuasive sales teams at the largest technology firms in the world because these
latest gizmos, address this latest vulnerability and solve the problem and will protect
the corporation. Good, right?

No.

Heres the problem: (a) by the time the million dollar gizmos are vetted, manufactured,
sold, shipped and installed, the odds are good that somewhere out there an adversary
has figured out a workaround or new means of attack and (b) see (a). This is nothing
more than a corporate merry-go-round, where everyone feels better because they just
bought the latest technology, their feelings were affirmed by the billionaire owners of
the firm that sold them this technology and it addresses the most recent problem.
However, as any corporate CFO and they will tell you that IT budgets and security
budgets (which are often imbedded across many different budget sleeves) are picture
perfect hockey sticks with no sign of slowing. Yes, corporations now have more
defenses than ever to yesterdays problems, and the overhead to go with that, but in the
forward-looking sense, I would argue that corporations are just as vulnerable.

Heaven forbid you ask an expert about this, they will likely have a different opinion,
because 99% of the so-called security experts play defense and make a lot of money
from the sales of hardware, software, and related services and as Upton Sinclair wisely
noted, It is difficult to get a man to understand something, when his salary depends
upon his not understanding it.




815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.

The fundamental problem with playing defense is that it ignores the successful
behaviors needed to thrive in a world dominated by change; and will therefore fail.

Where defense looks for certainties, offense looks to win by shaping the behaviors of
its team, which is the only dynamic in this system that you can directly influence.

Offense drives the entrepreneur. Offense drives innovation. Offense is the game used
by hackers, thieves and malcontents. And if you want to thrive in the area of cyber
security, you must make sure that your corporate cyber security plan has a healthy mix
of both offensive and defensive strategy.

Defense seeks certainty but cannot deliver it. Here is a problem. Ok, we can create
a widget to fix that problem. Micro win but macro fail. Why? Because the hacker has
invented a new attack while you were putting Band-Aids on old ones. See the issue?

If the first major problem is a cyber security plan and budget that invests scant
resources into offensive strategies, the second problem is that most cyber security
service providers have little to no expertise in Social Programming, and behavioral
analytics, as needed to implement offensive game plays largely because most
consulting groups in larger solution providers are sales teams in sheeps clothing.
What you need to effectively persecute offensive strategies are experts that give you
objective insight and feedback, which is then fed back into your internal program. If you
hire external teams that have conflicts of interest, you are merely exchanging one
problem for another and violating a long proven corporate governance best-practice.

Here is a nugget that will get you pointed in the right direction: the single biggest
vulnerability, on a persistent basis (since again, specific technological vulnerabilities can
be defended) is defective social programming in American corporations.

Social programming is the definable, measurable, and predictable behaviors that the
bad-guys exploit when executing what is widely referred to as social engineering or in
the language of Millenials, punking. Why go head to head with the best engineers
when you can infiltrate and exploit your targets social programming and achieve your
objective with much less risk and effort? In corporate America, we call this efficiency.

Again, social engineering can be used proactively to test known problems, as is done
with technology focused penetration testing and it also tests the existence of flawed
social programming, but its usefulness stops there. You need to take it one step further.

A credible cyber security policy must actively incorporate the key tenets of social
programming to harness the creativity and alertness of its workforce. Corporate culture,
policies, procedures et cetera all have their place, but should not be confused with the
explicit science of social programming as applied to cyber security, which focuses on
behaviors ones that are programmed by the corporation, to create patterns of
behavior that will help secure and protect the corporation, even in an evolving



815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.

environment. To do this effectively, however, requires sponsorship at the board risk
committee level or at a minimum by the CEO, because the implementation of a social
programming program often requires changes to first be made in the area of corporate
governance, which spans many different departments within larger corporations (IT,
security, business units, legal, HR, compliance et cetera).

Lastly, as an aside, the recent Target data breach illustrates the risk of failing to address
social programming. They spent millions on gizmos prior to the breach and many more
millions post-breach but their lack of offense (social programming) was the ultimate
vulnerability that caused them to fail and land on the front page of the newspaper.

Can you write an employment contract that addresses every single possible behavior?
Sure, but it would be so long as to be unreadable. Policies and written procedures
alone are not the answer to security and behavior. Todays employment agreements
are promptly forgotten after they are signed, with the exception of c-level executive
agreements and that is only because those documents often feature big carrots
imbedded therein that cause executives to take notice and sticks that could cause the
carrots to disappear, which is a terrifying thought, and therefore more memorable.

So how does social engineering work? How do you use it to strengthen the firm?
Social programming both reduces weakness and vulnerability and harnesses the
strengths of your human capital. How do you measure, test and implement a social
engineering program? That is the billion-dollar question and outside the immediate
scope of this paper but the good news is that there is a specific framework you can use
to implement and deploy social programming to protect your company.

In short, effective cyber security programs should strengthen your corporations
competitive position, result in greater intra-firm teamwork and better protect your firms
assets and do so without saddling your firm with ever increasing amounts of overhead.
If anything, cyber security, done right, incorporates a method of challenging the budget,
on a regular basis, to determine whether there is the right mix of offensive and
defensive programs and when old programs can be scrapped to keep agile and lean.

Knowing that we live in a world of change, and that corporate attacks are a certainty,
does it not make sense to position your firm, both in its approach to cyber security to
thrive by preemptively taking action? Playing defense and just defense in the realm of
cyber security is a well intentioned losers game and costs exponentially more than a
strategy based on winning, which ironically does more to ensure survival than defense-
centric approaches to cyber security that on the surface seem perfectly logical.


Stefan Whitwell
Austin, Texas


P.S. Click here for more information on Social Programming.