Posted by Synopsys Editorial Team on February 5, 2015
Too many firms treat software security as a “tower defense” game, when they lose to the attackers, they try to figure out how those attackers “got in” (often hiring a firm like Mandiant) and then they try to build their IT “walls” better. It is tempting to let the bad guy throw rocks at that tower all day long. Then, when the attacker “wins,” we simply redirect some resources to building the walls a bit higher and better and then we go back to letting attackers throw rocks again.
If we take the Wikipedia article on Tower Defense games and look at the description, it becomes eerily prescient with respect to some firms security posture. A few choice word replacements make this suddenly sound exactly like what’s happening.
Tower defense gamesInformation security systems are characterised by the positioning of static unitssecurity controls by the playerinformation security department to defend against mobile enemy unitsmalicious attackers who are trying to get from a start pohttint “outside the network” to an end point “inside the network”. There is a set number of enemy unitswell-known attack patterns (or ‘damage’vulnerabilities the player can take from units reaching the end point) whothat can reach the end pointvaluable data before the levelit is lost. Some gamesfirms use a static routethreat model that the enemy units follow aroundwhich the player places their towerssecurity controls, while others favour a free-form environmentuse architectural risk analysis that allows the userto define the path the enemy unitsattacks take. Some gamesfirms use a mixture of both. Most gamesvendors allow the upgrading of the player’ssell different kinds of towers.
Often an essential strategy is
“mazing”defense in depth, which is the tactic of creating a long, winding path of towerssecurity controls to lengthen the distance the enemies must traverse to get past the defense. Sometimes a “ jugglinghoneypot” is possible by alternating between barricading an exit on one side and then the other sideto cause the enemies to path back and forthattack decoy systems safely until they are defeateddetected. Some gamesvendors also allow playersfirms to modify the attack strategy used byhire towersstaff by the hour to be able to defend for an even more reasonable price.
The degree of the
player’sfirm’s control (or lack thereof) in such gamesattacks also varies from gamesattacks where the playerfirm actively manages security controls a unit within the game world, to games where the playerfirm has no direct security controls unitsat all.
It is a common theme in
tower defense gamessoftware security to have air unitspenetration tests which do not pass through the layout of the maze, but rather fly overtest the towerssecurity controls directly toat the end destination.
tower defense gamesfirms or custom mapsalso require the player tosend out enemiesattacks to their opponents’ game boardslegal entities respectively their controlled areas at a common game board. Such gamesactivities are also known as tower wars gamescyberwar.
Software security is not a tower defense game. Firms cannot sit back, let the attacker attack, and then deploy clean-up and forensic resources after the fact, nor can they just tick the compliance boxes. Attackers don’t care about PCI, HIPAA, or any other compliance standard. In fact organizations only doing compliance activities and nothing else, give attackers insight into the existing security controls are and ideas where to target their attacks. Building software securely at the beginning and ensuring security across the life cycle of the software is the way to minimize the amount of tower defense a firm has to play.