ven if t |
If we could shift IT security spending to secure implementation we'd all be better off.
It would be great if Islamic terrorists could be reprogrammed by psychoanalysts and released as Islam 2007. Unfortunately, they are not nice people who come from dysfunctional families who abused their children and since they are maladjusted, all they need to do is to move to Seattle, work on environmental sustainability and use Windows Vista. |
Response to Bruce Schneier's article at Wired.com:
"The primary reason the IT security industry exists is because IT products and services aren't naturally secure...If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure. "
Schneier knows that security cannot be viewed only in terms of vulnerabilities of buggy software and insecure servers. As long as people have valuable assets that are attacked by competitors, criminals and terrorists, there will be a market for security countermeasures.
Information security is a major operational risk for most business today and that risk is the result of a complex interaction of threats to valuable assets, exploitable vulnerabilities and countermeasures.
The value of risk is a function of asset value, probability of threat, depth of damage and ability to apply mitigating countermeasures.
Asset Value x (Threat x Vulnerabilities) / Countermeasures
Using the PTA (Practical Threat Analysis) model it looks graphically like this:
Modern IT system complexity exacerbates the security problem.
Today's IT systems are orders of magnitude more complex than mainframe systems 30 years ago, and they are open on port 80 using a stateless protocol originally designed to serve up information pages.
15 years ago when Checkpoint introduced the first stateful inspection firewall, the operational concept of protecting a secure internal network from external threats made sense. That has now changed, primarily because of HTTP convergence. With all applications running on HTTP over port 80, the notion of a secure internal network is blown away once you open up port 80 to inbound and outbound traffic on your network.
What happens when you have a complex system of cache servers, SSL accelerators, Load balancers, Reverse proxy servers, transparent proxies, IDS/IPS and Web Application Firewalls? Oh yeah - and don't forget J2EE which introduces additional layers of unjustified complexity and vulnerabilties.
You cannot control the threats but you can implement effective countermeasures.
I share Schneier's messianic vision and I would put the onus on customers reminding them that - "if you're not part of the solution, you're part of the problem".
1. Choose countermeasures carefully - don't use a control-compliance checklist. Think it through before you buy an application firewall - it is probably cheaper to do a software security assessment of your online purchasing Web application and fix the bugs.
2. Don't be a security fashionista . Most companies apply inappropriate countermeasures because their purchasing decisions are a) based on the old operational security paradigm and b) there is a lot of keeping up with the Joneses and c) privacy and governance compliance drives firms to implement controls that are good for the regulator and not for the business.
When we apply inappropriate solutions to threats, our cost of attacks and ownership rises rapidly (good for Symantec and McAfee but not good for our shareholders).
3. KISS - Keep it simple.
Defense in depth is important but remember that increased complexity reduces security, and installing additional security products can lull managers into complacency. Here are some examples -
Companies that attempt to mitigate internal vulnerabilities with firewalls and proxies experience an inflation of firewall rules and endpoints that bypass the proxies. Adding more network security elements tends to increase the total system risk, as a result of the interaction between the elements. A zero-tolerance policy to surfing to porn sites may be cheaper and more effective than a complex URL filtering setup.
Endpoints can bypass proxies by specifying a gateway IP address and transparent proxies on a Windows network are no assurance for unauthenticated user agents that bypass the entire proxy infrastructure. HTTP-Aware firewalls such as Web application firewalls can be completely or partially bypassed in some cases. Transparent proxies can be compromised by techniques of HTTP response splitting since they rely on fine-grained mechanisms of matching strings in HTTP headers Our practice with clients shows that on the average 40% of all outbound traffic bypass the proxy anyhow.
Firewall and proxy logs are generally never analyzed, and often lag hours behind an event. An IPS often relies on anomaly detection. Anomaly detection relies on network flow data, which is often reported at intervals of 15 to 45 minutes. With that kind of lag, an entire network can be brought down. Because anomaly detection is looking for an anomalous event rather than an attack, it is frequently plagued by time-consuming false positives. A proxy on the other hand relies on URL filtering and simple keyword matching that analyzes the HTTP header and URL string. By looking at content and ignoring the network; a proxy can suffer from high rates of false negatives, missing attacks.
Invest less in IT Security products and more in monitoring and proactive bug fixing in your own applications. Use extrusion detection methods in order to monitor your network and identify vulnerabilities.
