By: Kevin Thomas
Contextual Security Solutions | October 5, 2017 @ 10:55
I like military history. I don’t know a great deal about it, but I like it. A few months ago, I was preparing for a talk I was going to be giving at our local Bsides conference and stumbled upon the Wikipedia entry on the Maginot Line (I think I was trying to identify military examples of a false sense of security). The Maginot Line, named after the Minister of Defense Andre Maginot, was a line of fortifications installed by France in the 1930’s between themselves and Switzerland, Germany and Luxembourg. It was constructed primarily in response to the damage France suffered at the hands of Germany in World War I. To be more specific, France wanted a line of defense to prevent Germany from crossing its border and invading them again. Undoubtedly this was an expensive endeavor as this defensive wall included concrete fortifications, obstacles and weapon installations. It was apparently impervious to most forms of attack and also included some nice amenities for the troops stationed there.
Maginot Line – France
This colossal undertaking took roughly 10 years to complete with costs hovering around 3 billion francs. My attempt to convert 3 billion French francs in 1930 to what it would cost in today’s dollars resulted in the following (via the portal for Historical Statistics):
“3,000,000,000 French franc [1795-1960] in year 1930 could buy the same amount of consumer goods and services in Sweden as $1,535,535,881 US dollar’s [1791-2015] could buy in Sweden in year 2015. This comparison should be used if the purpose of the analysis is to compare absolute worth over time rather than relative worth.”
In other words, it was pretty expensive. The Maginot Line, despite all of its defensive innovation, was a failure. This was mainly because the line itself, although strong at the border with Germany (the enemy), was very weak along its border with Belgium (because they didn’t want to offend the neutral country). This gap is where the Germans attacked, and well, the rest is history.
So why am I talking about the Maginot Line on an Infosec blog? Well, it’s because most organizations have their own Maginot Line, and just like the French, they may not realize it until it’s too late. Although companies have continued to uptick their spending on information security (estimated to be 90 billion worldwide in 2017 per this Gartner press release from March 2017), reports of high profile breaches are still rolling in on a regular basis. Just in the last week as I was writing this blog entry, Equifax, Sonic Drive-In and Whole Foods have all announced internal investigations regarding possible breaches.
Records Breached as of 10/5/2017 per Privacyrights.org
Despite this increased spending, there are key areas where much more can be done that can help organizations identify their Maginot Lines so that the necessary improvements and changes can be made. This will seem fairly self-serving, but organizations need to perform security related audits on a more frequent basis. Gone should be the days where a company tests their security once every one, two or three years. These snapshots in time may help check a compliance box, but they do very little in helping organizations stay abreast of and improve their security posture over time. Why is this? Change is happening at a rapid pace. There is extreme pressure on I.T. to get the next great application or application feature set out. The mergers and acquisitions boom is still going strong, which can significantly impact a security team’s ability to maintain the status quo of the existing infrastructure while integrating newly acquired systems and technologies. Organizations are moving more and more of their key applications and critical data to a cloud infrastructure that they have little to no control over. Lastly, the compliance landscapes are continuing to evolve, which can pull resources from all of I.T., including security focused teams (teams being a bit of a misnomer as few organizations designate more than one or two employees to this critical role). All the while, and what further compounds each of the points listed above, the threat actors are constantly mutating and refining their techniques and attack strategies (what I refer to as “Threat Actor Agility”).
Now more than ever, organizations need to have a current and accurate view into their security posture and effectiveness of their security controls at all times. A key way to gain this visibility is through the execution of routine and consistent security audits. Examples of which are included, but not limited to, the following:
- Penetration Testing
- Vulnerability Assessments
- Security Awareness Assessments
- Web Application Assessments
- Code Reviews
- Incident Response Plan Assessments
- Risk Assessments
- User Access Audits
- Service Provider Assessments (Think of them as Belgium 😉 )
Over the next few months, we at Contextual Security Solutions will be shedding light through our blog on each of these audit activities; benefits, gaps (yes gaps), recommended frequency of execution, and compliance mapping. All of these activities can be performed by qualified internal personnel, but in most cases, they are typically conducted using a combination of both internal resources and external firms who specialize in these services.
Most if not all organizations have a Maginot Line. Knowing your Maginot Line is important. It allows you to better allocate your existing security related resources (People, Processes, Technologies and Environments) as well as make informed decisions on additional security related expenditures (Headcount, Products, Solutions etc.). Due diligence also commands that you know your Maginot Line, especially if your organization deals with any type of sensitive data; protected health information, credit cards, financial data, consumer information (think Equifax). Ultimately, you need to know for your customers.
Do you know what your Maginot Line is?
In conjunction with our illumino™ Security Program Management platform, Contextual Security Solutions, a Qualified Security Assessor Company (QSAC), can assist your organization in building a security program without breaking the bank. If you have questions regarding the content of this blog or are simply looking for an additional resource on building/updating your information security management program, please contact us directly at firstname.lastname@example.org.