The Cyber Maginot Line

Don't put your faith entirely in layers of technology.

A Maginot Line fortification pictured above.

After World War 1, the French built the now famous Maginot Line. It was a series of elaborate fortifications designed to prevent and overwhelm any incursion from the eastern border. Aside from the practical benefit of the line, it also had a certain 'psychological value'. To quote many historians and observers of this period, there was 'a lot of faith put in concrete'.

When World War 2 broke out, the Germans simply went around it. The Ardennes forest was thought to be impenetrable (adjacent northward), and there was solid assumption that no force could make their way through that geography. As history tells us, this is not what happened at all.

We can learn tremendous amounts from military history that can be applied to Cyber Security. A key universal theme that can be derived is the value of strategy and tactics over sheer force of arms. To modernize this theme, you cannot win the way by simply throwing dollars alone into your cyber program, and you certainly cannot drive optimum security - similar to the Maginot Line, through applying endless layers of technology alone. There needs to be balance. Let's explore two examples applied to Cyber.

Example 1

A major financial institution in recent times was breached and troves of data stolen, implicating Clients. They had overlooked the risk of non production systems, and attackers were able to compromise an MFA configuration consistency issue to then get access to non production data. Although the data was sitting in non production (and apparently lower risk), it had been moved from production with inadequate processes to ensure the data had been cleaned. Therefore the breach might as well been from production, it really made no difference.

Example 2

A major global entity was suffering from a visibility crisis into their overall IT estate risk. Certain geographies were very strong in cyber risk management and that overconfidence had spilled into overlooking inconsistencies with other geographies, or not looking hard enough (trust but verify). The result was similar to example 1, the weak point was used as a staging point for a larger cyber event, with global implications for that entity.

Both of these examples have similarities to the Maginot Line and subsequent fallout.

Assumptions can lead to catastrophe.

Takeaways

a) For hostile cyber actors, the rule of time/gain ROI applies. They are going to target weaknesses over strengths. If you have spent more time bolstering your strengths in perpetuity than identifying and improving weaknesses, you are exposing and essentially promoting risk.

b) Technology alone cannot keep you secure. You must ensure the technologies support your Cyber Strategy, reinforced by other focus points such as but not limited to people/process/governance, culture and awareness, training and education, and whole of enterprise commitment. To get specific, multi cloud trends are heavily influencing identity sprawl causing governance chaos and an abundance of related non compliance.

c) To solve any problem, first the problem must be identified. By having an over-eager tooling mindset you are introducing human level bias into the the cyber risk profile of your organization. Without transparency and visibility into your estate and a spirit of teamwork and collaboration, bias oriented shortcomings will materialize into risk, and pockets of poor visibility will simply be not addressed.

d) Always endeavor to ask the right questions. A closed culture will not foster this, and heavy weighing vendor relationships will skew biases outcomes that may fuel additional cyber risks, both directly and indirectly. Ensure your vendors are compliant and suited with your culture of transparency. The organizations with the stronger, and most mature cyber programs have this in common as a matter of historical fact.

e) Beware of your flanks and ask key questions in perpetuity. Where are the exposure points? Are my assumptions accurate and should i challenge those assumptions? Do i have defense in depth embraced? Should i spend less resources on technology and more on strengthening fundamentals that achieve higher cyber risk ROI?

Part of the Maginot Line fortifications.