I hate to admit it, but they are.
Security technology is still stuck somewhere around 1997 – stateful packet inspection firewalls and frottabytes of logs that no-one can get meaningful data out of.
OK, there are some steps in the right direction. Palo Alto networks have a firewall that almost understands the concept of a user. Cisco have tried to implement network admission control but haven’t really made it work yet. Actiance (formerly FaceTime) actually understand the concept of a web application and that not all port 80/443 traffic is equal. SIEM platforms are fantastic at opening the firehose of log data, but I’ve not seen one that actually has enough intelligence to tell you when you have a problem. And the same for DLP and Web Application Firewalls. Nothing newer, easier to use and less intrusive has come along to identify a user since the password or OTP token.
And we, as security professionals are expected to maintain this ever growing “tower of Babel” of different technologies whilst somehow finding time to be security consultants to a business that just wants to not think about security (however important the CEO says it is).
We don’t help ourselves, either. The rest of the IT industry is charging towards de-perimiterized networks, cloud computing, and consumerization and we’re busily wittering on about the latest security standard de jour rather than actually developing new technologies to protect the businesses we claim to serve. I’ve read exactly two security standards in fifteen years that actually offer any real value: PCI DSS and the new ISSA SME security standard (and that’s guilty of being the only security standard that’s too short!)
We need a serious shake up. We need ways to automatically provision tiered network access based on host assessment policies. We need something that combines the best of breed WAF, DLP, application filtering intelligence with powerful, user aware firewall policies into a log analysis platform that can give me alerts like “Fred Smith attempted to download a list of 1,245 credit cards to his non-company iPad at 14:32, and here’s the ZIP archive of all the evidence”. Not “PCI policy violation for client 10.2.3.4” somewhere in a gazillion other messages.
I want the system to tell me “hey, this new server on the network has a SQL database full of credit card numbers. Do you want to move it to the PCI zone and encrypt the PANs in the database (Yes/No)?”
And finally, we need to do all of this at a price per user that makes it a no-brainer to implement, not the maximum we think we can stick the client for, based on some artful TCO model which, if you actually analysed it, would tell you the TCO of your IT environment is about a thousand times greater than the GDP of a small nation.
I work for a company that has a policy that prohibits unauthorised WiFi access points on company premises.
OK, this implies “connected to the corporate network”.
But I’ve just purchased a Huawei MiFi router. WiFi to 3G. It sits in my pocket, but I don’t even need to bring it onto the premises. I can leave it in my car, and could sit at my desk pretending to work while in reality I’m off the corporate net and surfing whatever I like.
I haven’t quite figured out how we, as Information Security Professionals, catch up on 2010. It’s going to involve tightly controlled silos for sensitive data – be it PCI, other financial data, or Intellectual Property. But the days when we thought we could wrap the InfoSec blanket around the whole thing are gone, and we need a new approach to securing only the data that actually matters.
On the excellent TaoSecurity blog, Richard Bejtlich says “forget ROI and risk. Consider competitive advantage.”
ROI is incredibly hard to justify for security programs. You’re trying to find a way of stacking up “what might happen” against the actual pounds, dollars or Euros that you’ve actually spent. However you do it, it’s going to seem artificial.
Risk is even harder. As Bruce Schneier repeatedly points out, human beings are incredibly bad at rationally dealing with risk and probability. And most security events are out at the wrong end of the scale for us to even try. No-one wants to be spending money on million-to-one probabilities.
I’m not sure you can often claim a competitive advantage — in the traditional sense — from security either. But for me the nuggest of wisdom in Richard’s article is the concept of focussing on the threat.
‘When you turn the focus on the adversary — you are threat-centric — and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder “what else can we do to give us a competitive advantage? Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the “productive” elements of the business.’ –TaoSecurity
It’s certainly clear the threat has moved. Hackers are, for the most part, no longer kiddies trying to impress their mates. They are financially motivated criminals. They are clearly starting to target the enterprise. But I wonder how many business will wait for a crisis before implementing proper protection for their most vital assets.
No business executive in their right mind would leave their cash balance hanging in a sack outside the office overnight. But plenty of people seem happy to do the same with their customers’ personal information and their own intellectual property.
As reported by the US-CERT, it seems that even a USB battery charger (neat idea, BTW) can carry malware. It seems like the last thing you’d expect to have enough complexity to be a risk, but the accompanying software to monitor the battery charge status is compromised.
One of my big fears at work is that we’ll ship something infected, either out the front door – god forbid – or with a support update or special code sent out to a specific individual. The headlines don’t bear thinking about, and much of our security philosophy is around supply chain protection.
So how did this happen?
The software that got sent out was digitally signed. So the compromise was before that. Either careless developers, or careless contractors, sent this code to be signed with the compromise already present. And the signing authority did nothing more than rubber stamp the signature.
The developers are at fault, for allowing their code to be compromised.
The signers are at fault, for signing compromised code.
Without knowing more about the supply chain, it’s hard to say who else might be at fault. But I’ve got plenty more fingers if that information comes out.
Every single person who touches production software has a responsibility for it being as designed, and safe for the end user. Multiple people failed in their responsibilities in this incident.
Organisations continue to underestimate the devious nature of cyber criminals and have little or no commitment to “thinking like a hacker“. This mind set is critical in order to apply budget and resources to the areas where criminals are most likely to attack and to counter their methods effectively. – Pete Wood
The worst thing is that as 2010 appears, we’re starting to see the beginings of Corporate Cybercrime. That attacks against companies have, until recently, been mass identity theft attacks, or the occasional DDoS extortion hack.
But the attacks against Google in China, and other companies suggest that there’s a new focus – hacking big corporations as targets in their own right.
I think this runs much deeper than just cybercrime, though.
“We’ve done a risk assessment”
”We’re OWASP compliant”
”Look at our PCIDSS certification, isn’t it pretty!”
Or, worst of the lot in the 21st century “we must be secure with a firewall in front of our network”.
No amount of risk assessments, standards compliance, or pretty certificates on the wall are going to deter a hacker motivated by profit from attacking your systems in new and innovative ways. And right now, almost every company out there has chinks in its armour. Spending the budget to cover the biggest holes is one thing, but the entire industry needs to get into mindset that security is job number 1.
Oh, wait, I said basically the same thing in the last post on cloud computing.
“Few organisations are giving serious consideration to the security risks inherent in the cloud computing model. Whilst day-to-day operations can be outsourced in this way, the responsibility for security cannot. A combination of technical, legal and audit skills are required to ensure the security of data in the cloud.” – Pete Wood
What we need here is for an organisation to step up and build a cloud platform engineered for security from the ground up.
Unfortunately, I think it’s unlikely to happen. Because every time you introduce a security feature, someone will say “but customers will complain if we block them from …”
So here’s an idea. Let’s take the current range of app profiling technologies built into various IPS/IDS technologies, and use them to profile a new customer. Against themselves, and against each other. So the customer sending a gazillion emails gets checked to see if they’re a marketing organisation or a spam house. The customer who suddenly starts sending a metric shedload of traffic on port 65434 gets asked if they’re running a botnet (with or without their knowledge).
Given the current state of network and host security, the biggest weakness is going to be the customer’s own application code. So the next step is getting to the point where we have secure app frameworks – and the only supported frameworks on our secure cloud are our secure app frameworks.
Won’t sell? If the CSO has a say in which platform you can use, you bet it will.