For example, you cannot have a webserver that you remove from the Internet. You cannot refuse to grant users access to computer systems or information, because users are the greatest source of security failings. Although security needs to be integrated into business functions, it is secondary to business functions.

This will be discussed later, but security programs are doomed to fail by definition. The actual definition of security is freedom from risk. You can never be free from risk, and that is ok. No element in life is free from risk. As the saying goes, a ship in port is safe, but that is not what it is meant to do. Likewise, your information and computer systems were not meant to be safe, but were meant to provide a service. The services expose them to interactions with other forces.

At the same time, we would also add that a ship in port is not perfectly safe. For example, the ships at Pearl Harbor were supposedly safe in port on December 7, 1941, until they were attacked. When a hurricane is predicted for a port, the ships are sent out to the sea, so that they will not be subjected to traumatic conditions that might slam the ships into the piers. There is even the possibility of a ship in otherwise safe conditions being boarded and robbed, so there is no such thing as freedom from risk, even with a ship docked in port. There is clearly less risk, but not security.

We frequently challenge people to describe perfect computer security. Someone will eventually say, “Turn the computer off,” or something similar. However, in the first place, a computer that is turned off is useless. So in trying to provide security, a denial of service attack was created. After we point that out to people, we then ask how many computers were potentially sitting in the World Trade Center and Pentagon on September 11, 2001? How many computers are destroyed in fires? How many computers suffer accidental water damage? How many laptop computers, which are turned off, are lost or stolen every year? So even a computer that cannot be theoretically hacked is still exposed to potential loss. Clearly the risk is lower, as the 9/11 style attacks are thankfully extremely rare. However, even this lower risk of hacking is accomplished by compromising the actual purpose of the computer itself; this is unacceptable.

So in this chapter, we are stating that perfect security is unattainable. The only people who will ever offer you perfect security are fools or liars. If any book tells you that by implementing the material in the book, you will achieve security, put the book down and walk away.

Before going on, though, this does not excuse putting insufficient protection mechanisms in place. Risk reduction means that all reasonable and cost-effective countermeasures should be implemented. You cannot throw up your hands and proclaim that your security program will fail, so you might as well give up in advance. You need to have a comprehensive and effective protection program in place. To the best of your ability and within reason, you want to stop incidents from happening in the first place. The problem that we see with most security programs is that they do not stop even basic attacks, and basic attacks can create massive losses as easily as the most sophisticated attacks.

For example, if an attacker gains access to a network, it does not mean that he or she will end up compromising information. If some form of intrusion detection system detects the attacker, a reaction can occur to kick he or she off the network before information is compromised, or at least a complete compromise of information can be stopped.

With the Edward Snowden case, although Snowden was a systems administrator at the National Security Agency (NSA), and arguably he was a de facto part of the NSA network security program that failed, there were many chances to detect his crimes before the bulk of the data thefts were accomplished. Arguably, if his actions were detected early enough, he could have been arrested before providing the information to reporters and other parties.

Examples of missed detection opportunities with Snowden include the fact that he downloaded data for several years. He accessed systems that he had no reason to access. He asked coworkers for their passwords. The background check performed on Snowden was apparently grossly lacking and missed past actions, as well as other indications that meant he should not have received a clearance. He might have been arrested for a variety of activities related to his previous employment at the CIA, and at a previous NSA contractor. The NSA officials actually stated that misuse and abuse detection was rolled out throughout NSA, but not to the Pacific theater, where Snowden worked.

With the Sony hack, better network monitoring tools, actually any network monitoring tool, would have likely detected the malicious traffic going across the network. Although we will discuss the importance of reaction later, it is already clear that with detection, reaction can then occur.

Besides monitoring network activity, Sony should have been able to detect the movies being downloaded from their systems. They should have detected the access to their email servers and file servers, as well as the downloading of critical information. Although the details have not been made fully public, when you consider the damage and the available security tools, among other things, it is clear that there were dozens, if not hundreds, of missed opportunities to detect the North Korean attack before significant damage was perpetrated.

It can be argued that Sony should have had all the detection mechanisms, even applying the available threat intelligence, which actually would have told Sony that they need to be on the alert for a certain type of malware. Detecting that malware on the system proactively would have allowed Sony to remove it before their infrastructure was destroyed. This is one detection mechanism that could have been put in place.

Clearly, though, Sony is expected to be under regular attack from a variety of malicious parties. Although North Korea was the source of a devastating attack, it is very likely that other parties were and are attacking Sony on an ongoing basis. For this reason, detection should be as robust as reasonably possible, and not deficient on so many fronts.

When you look at most of the attacks that have been proclaimed, “Sophisticated,” by the victims or the consultants whom they pay to speak for them, you see insufficient protection combined with insufficient detection capabilities. In this chapter, to this point, we have just touched upon two of the most notable case studies; the Sony hack and the Snowden crimes. Despite the media and the victims, and even other security professionals who do not consider the details, trying to hide behind a supposed “sophisticated attacker,” it is clear that the actual skill of the attackers is irrelevant.

The damage caused by North Korea was more because of poor protection and detection than because of the potential skills of the North Korean hackers. Likewise with Snowden, although the media loves to portray him as a computer genius, there is no indication of any exceptional skills on his part. Despite the fact that his victim was the NSA, whom anyone would assume to have the strongest security program in the world, there were clearly gross failings at many levels in their internal security posture.

Ira worked at the NSA, and he attests to the fact that the security measures that the NSA relies on the most is its background check and its people. The NSA relies not only on the background checks and the choice of personnel whom it allows access to data as a form of protection, but also on the personnel to detect suspicious behavior on the part of coworkers as a form of detection.

Edward Snowden was a contractor, so he did not have to go through a full-scope polygraph test to obtain an NSA clearance. Snowden resigned from the CIA in 2009, before being scheduled for an expected polygraph examination, which is standard for employees and would have questioned him about counterintelligence-reacted activities and tendencies. So it can be argued that the NSA security policies that do not require contractors to go through the same level of security screening as the actual NSA employees enabled Snowden's actions.

Thus it is clear that the contractor who was supposed to perform Snowden's background investigation failed to contact the CIA, where it was reportedly noted on Snowden's personnel file that he was suspected of attempting to break into systems to which he was not granted access.

Despite that, Snowden left clear signs to his coworkers, the most obvious of which was asking other people for their passwords, so he could comb through the NSA systems that he would otherwise not have access to, as well as conceal his identity by browsing the network as other people.

Again, there were a wide variety of failings with Snowden as much as Sony.

It might be a legitimate reaction to do nothing. When you have an attack that appears trivial, and involves a basic scan, you just might want to note that a scan is taking place and perhaps use it as an indicator to be on the alert for potential other attacks and scans that might be more focused. This would be reasonable give...