Historically, security has revolved around prevention. Ensure your servers are patched, make certain your web application doesn’t have SQL Injection, and you can feel confident that you have done your best. Furthermore, preventing users from deviating outside the strict rules you have set them gives the impression that what happens in your environment is controlled.
However, reports in the press of people who followed this approach being subject to serious compromise highlight that it is largely ineffective in protecting the organizations who adopt it. Many more stories, which don’t make the news, re-enforce this view and further suggest that prevention alone does not work against all but the most unskilled attackers.When protecting yourself against a determined attacker, trying to prevent all vulnerabilities just doesn’t work. Companies that have a patch management system, full-time security staff and “take security seriously” are still being compromised – why?In theory, preventing all vulnerabilities would be an effective strategy. However, vulnerabilities that could compromise your data can exist anywhere in your organization. Amongst many others this includes your staff being socially engineered, it encompasses that legacy development server that is still running and that legacy application you aren’t able to turn off just yet (despite the fact that security updates stopped being available for it five years ago). In practice, preventing all vulnerabilities just isn’t feasible in anything but the smallest of organizations. Even then, we can only protect against known vulnerabilities. So why do our behaviours continue to re-enforce the attitude that they can be. Instead, let’s assume you can be compromised…. Detecting attacks
