Network complexity makes it hard to protect the low-hanging fruit, says Just Eat CISO
Multiple points of entry, third party contractors, external code and virtualisation make protecting a modern network a difficult task
For a cyber criminal, ‘low-hanging fruit' is all of the information that a business stores without adequate protection. While this is normally limited to non-critical data, sensitive information like customer lists can sometimes go unprotected, too - and that's good news for hackers, to whom this fruit is also their bread and butter.
Food analogies aside, it's a fact that the least guarded targets in an organisation's network are often those most targeted by attackers. On the face of it, the problem is easy to solve by investing in more security - but Kevin Fielder, CISO of Just Eat, says that the solution is rarely that easy.
"We call that ‘doing the basics' - but just because they're basic doesn't necessarily make them easy. There's a difference between ‘What are security basics, what is security hygiene?' and how easy it is to do that."
Protection certainly is easier said than done, especially on a modern network. One major reason is complexity: the more complicated a system, the more difficult it is to seal. It's the difference between fighting an attack off from a castle with high walls and a portcullis and trying to defend a house with multiple doors and windows (as anyone who's ever played PUBG or Fortnite can attest).
Today's systems, especially if they're virtualised, are extremely complex, with many points of entry, stakeholders and code. Even worse, outsourcing is common, so the security team is often not in charge of the entire network. That makes recovery slow.
"If you're in a typical company now, you've got things potentially on-premise, in multiple SaaS cloud providers, probably several IaaS cloud providers as well; global office locations, people working from home, people in seamless working environments, developers who work for you, developers who work offshore, code developed for you by other people, third parties who need to use the intranet…
"[These] environments may sound simple, but are actually very very complex. Then you've got the fact that you need to balance security with uptime and reliability and everything else."
Of course you can forcibly patch your systems regularly - you can even do it relatively easily if using a cloud network - but that risks breakages if something in that patch isn't optimised. Fielder said:
"You have to make those priority calls of, ‘Do we take a risk of a breach versus the risk of the site being down?' There's always a bunch of tradeoffs, and a lot more complexity than people think."
There are solutions, including network segmentation, automation and making your data look difficult to access (most hackers are opportunists looking for easy targets), but in the end, there is no easy answer to the problem of low-hanging fruit: if there was, it wouldn't exist.