Positive Reinforcement vs. Negative Inducement
For years now, I’ve recoiled at the “fear up harsh” approach some have attempted to coerce the public into paying for security controls. Aside from the problematic ethics of this approach, the science tells us fear simply does not motivate individuals to be proactive — it’s just a good way to get people to STOP doing a thing. Reward, on the other hand, activates neurotransmitters that encourage repeat behavior. Want to get employees to go the extra mile? Tie the work to a reward worth the effort. When someone gets the reward, broadcast it. This is exactly what we see in nature when a food source is identified — well-worn paths to the source and a reliable to-and-fro by the local fauna.
But how do you motivate the holders of the purse? I cannot tell you how many times I’ve had a conversation with a customer only because “the guy next door got hit,” or worse, “we got hit.“ There is a thought out there in the ether: “I’m not interesting to hackers.” I understand how people might think this, and they are right — hackers are probably not looking for your organization.
Luck Is Not a Strategy
The idea of a guy wearing a hoodie and a ski mask typing furiously away to own a network is the common image the media presents us. While I’m sure it’s happened once or twice, that image does the public a disservice. The beauty of hacking (which, by the way, really is a term for tinkering with something, not criminal activity) is it leverages the way a system works and how it might work — regardless of design.
When I’m fishing with my kids and we need bait, we do one of two things: look for worms or net some minnows. It doesn’t actually matter which minnow or worm we get, any will do. They just need to be where we are looking for them, when we are looking for them. The minnow that was just outside of the net when it scooped up their brethren feels safe in knowing they were not a target of the net, but really, they were just lucky. That’s your organization.
When a criminal seeks to target computer systems, more often than not, they are searching by vulnerabilities — not brand names.
Default password in use? Awesome. No multifactor authentication? Excellent. Compromised credentials already found online for a potential spray attack? Winning. Help desk contact information and protocol available to the public? Very cool.
You see where I’m going with this.
The Attacker’s Perspective
Hackers see the potential in an organization beyond the obvious. Criminals see the path to financial gain. The beauty of the internet is that setting scripts to simply look for vulnerabilities to exploit does not require 1) a hoodie, 2) a green screen, or 3) furiously typing away. While some certainly are targeted, most are a case of point and click.
The not funny thing is that some organizations don’t even realize they have been hit because it’s not obvious. Perhaps there is more value in residing on the target network and collecting data for exfiltration. Perhaps it’s a good pivot point. Or maybe it just makes for a good bot to conduct other attacks while lessening attribution. My point is, there’s more to your organizational value than the dollars or products it generates. If your organization has high connectivity to others, that’s where the value will reside to a knowledgeable criminal hacker.
As organizations, we need to think of ourselves beyond income generation and objectively consider our placement in the market ecosystem. Having that perspective can enable us to defend and protect ourselves smarter, not harder.