If you know your enemies and know yourself, you will not be put at risk even in a hundred battles.
Sun Tzu, The Art of War
The Principle: Identify and account for all relevant systems, actors, and risks in the environment.
Key Question: Am I covering all of my bases?
Related Concepts: Complete Mediation, End-to-end Encryption, Reconnaissance, Inventory, Threat Modeling
The Principle of Comprehensivity is how we create a home-court advantage in an attacker-friendly world: it is where we outclass attackers by knowing our environment front to back, and where we preempt attackers with comprehensive security strategies rather than tunnel-visioning on only the hot-button areas.
Too often, organizations focus on protection without ever stepping back and asking what is to be protected, how it can be reached, or who the potential attackers are. Whereas on the other side, attackers can learn a great deal about the defender’s environment with only a small investment in reconnaissance. Because a single vulnerability might be all that’s needed to take down an entire system, the attacker is sure to find a way to extract maximum value for minimum effort. When defenders aren’t well-informed about the workings of their systems or about the threats they are likely to face, or when leadership makes decisions without any input on security risks, security gaps are bound to arise, with attackers waiting, ready to pounce. Although it is challenging (if not impossible) to anticipate every vulnerability and preempt every attack, Comprehensivity creates the mindset that will keep defenders one step ahead.
The advantages Comprehensivity offers are not automatic; they require active implementation. Examples include, but are not limited to, the following:
Create and maintain accurate asset inventories, network maps, and data flow diagrams for the systems you are tasked with defending. You can’t defend something when you don’t even know what that something is.
Work to limit weak links in critical data flows. If data is valuable, every system and user account with access to that data must be secured at least as well as that data. Attackers will go for the weakest links.
Use end-to-end encryption for data transit and full-disk encryption for data storage to provide more comprehensive security in your cryptosystems. Noncomprehensive strategies, such as using key escrow for third-party access or Man-in-the-Middle for analytics, undermine the security of the system as a whole and create juicy new points of attack.
Learn about your attackers to help target defenses and prioritize resources. To again quote Sun Tsu, it is as important to “know thy enemy” as it is to “know thyself.” General information can be found in many places (CVE disclosures, the various Verizon and Akamai state-of-security type publications, and more), but for a truly tailored view, mine your own monitoring to find out what attacks your organization is actually experiencing. Don’t just look at what gets through: failed attempts can be most informative.
Doing Comprehensivity on a day-to-day level boils down to asking yourself two questions: “Am I thinking of everything?” and “Am I accounting for all the risks?” Piece of cake, right? Unfortunately, both are needed for effective security. You can’t fix what you don’t know about; and knowing about something and not taking action is tantamount to negligence. Additionally, because new vulnerabilities are always coming down the pipeline, Comprehensivity requires vigilance, diligence, and proactivity.
But the devil is in the details, and information security can have a lot of details. The chances are good that you are charged with protecting a sprawling mess of other people’s software, hardware, processes, and personnel, over which you have limited or no control. Just keeping track of everything you have to protect can be daunting. How recently were they updated? How secure is their supply chain? Are their processes actually being utilized? What new vulnerability is coming down the pipeline? Comprehensivity requires you keep a running catalog of all possible points of attack, and create plans to protect them.
Indeed, this highlights two Comprehensivity trouble spots: third parties and time. Vulnerabilities arising from third parties, although challenging both to identify and account for, are still critical for the security of your system. If you are running someone else’s code, or rely on someone else’s processes, they are your problem, too. Meanwhile, time is a frequent source of security oversights because vulnerabilities often stem from decisions made far in the past, and current decisions need to consider vulnerabilities that might arise in the future. If you are developing new deployed products, will you be able to patch them? If you have machines running legacy code, will you be able to handle a new vulnerability that comes down the pipeline?
Ultimately, Comprehensivity is more about mindset than absolute requirements. The goal of Comprehensivity is to teach you to always be thinking about the unknown vulnerability, the unprotected system, or the unconventional mode of attack. It’s about stepping away from the gritty details to try to get a big-picture view of your systems, your adversaries, and your environment so that you can see threats on the horizon and in your periphery. This bigger-picture perspective gives you the ability to build systems and strategies that truly defend against the threats faced.
Finally, Comprehensivity requires you to develop strategies that account for the risks you identify. Although “account” does not mean that each risk needs a specific countermeasure, it does require that protections are applied in a comprehensive manner. This might mean that you need to accept some risks or address multiple risks with a security strategy. However, what Comprehensivity does not condone is the development of security blind spots. And as will often be the case, truly comprehensive protections will often be necessary to adequately account for the risks you are facing.
Comprehensivity is particularly important to understand in combination with Proportionality and Opportunity. Proportionality restrains Comprehensivity’s overwhelming scope by considering competing interests, setting priorities, and acknowledging reality. Comprehensivity sets the ideal, while Proportionality makes it doable. Similarly, Opportunity helps you work toward Comprehensivity by looking to outside sources for support, information, and resources. Keeping up with all of the potential threats you might face can be exhausting, but Opportunity helps you find ways to share the load.
Comprehensivity is the principle of knowing your own systems, knowing your environment, and knowing your enemies.
Comprehensivity teaches that noncomprehensive security can allow for individual vulnerabilities and oversights to undermine the rest of your defenses.
Comprehensivity applies to both space and time.
Comprehensivity is particularly challenging when trying to secure third parties.