Saturday, 7 July 2012

Insecure by design

We have a fundamental flaw with security. We like to argue that we need to have people that can think as the attacker to be successful as a defender, but this cannot be further from the truth.

Yes, as Sun Tzu stated, it is well suited to the field to know one’s self as well as one’s enemy, but this means we need to start to understand each in their own way. This is flaws and all.

Security is a function of the system and organisation it is designed to defend and it is always an economic function (even in the military). There are no absolutes and what is “cool” is rarely the main concern. As much as malcode such as Flame captures the news, it is of far lower concern then the simple issues constantly confronting us.

Again and again we hear tails of APTs, Stuxnet and more in the News. We as security “professionals” help and aid in the propagation of this myth. The truth is that it is the boring mundane things that really make the true difference.

Patching, White-listing of applications and other simple and mostly overlooked controls are of far more use than the majority of cool toys being pushed on us.

  • Yes, these are far sexier than patching and effective policy controls.
  • Yes, awareness can be boring.
  • Yes, educating people is an endless process.

That stated, these are things that really make a difference.

That stated; these are things that really make a difference.

When “we” as an industry finally start to look at and address the real issues, then and only then will we start to make headway. Only then will we manage to gain a foothold against a rising tide of crimeware and attacks.

For all of the news of new attacks, of zero-days and more, it still remains the systems that have not been patched, the applications that we have allowed off a white-list and poor practice that cause most compromises and breaches.

When we think of critical infrastructure attacks, it is the simply wrong belief that these systems are OK as they are and that these do not need to be patched that leaves them vulnerable. It is the failure to have basic controls and updates, not the growth of new forms of attack that places these systems at risk.

I was told the other day that “old attacks” do not matter and that these could never be used to attack anything. This is the problem with this industry. Old attacks work. New attacks cost money. APT and zero-days are expensive to both create and deploy. They are the proverbial nuclear weapons. Once they are used, they are depleted. They may be used, but the use is extremely controlled and limited. For each of these, there are thousands of not millions of conventional attacks. This is attacks using old vulnerabilities.

  • When we as security professionals start to understand that security in business is about business, we will start to make headway.
  • When we start to understand that there is no absolute level of security, we may start to win battles.
  • When we start to see all security as an economic calculation based on risk, some of which are accepted and not all of which can be fixed, we will start to create secure systems.

But whilst we leave the basics of security for that which is “cool”, fun and trending, we have left the path to creating secure systems and left ourselves open to attack.

Security is not about creating perfection, it is about creating resilient systems that can survive a certain level of attack. Aim for perfection and aim to always lose.


Robert Shullich said...

The problem with the risks is that there is a lack of ability to calculate it. We know what risk formular is, yet quantitative risk requires rel good numbers and metrics, and qualitative risk does make it easier. The problem with the calculation is that the business, which we have to satisfy, will push the calculations as to either low probability "oh that will never happen" or low impact "how much damage could that relly do" and in either case push the risk down to a real low and insignificant risk.
So yes, security and risk is a business decision, and if the business wants to accept it, that is a business decision. But that also assumes that the risk that the business is accepting is accurate, because if the risk being stated is deflated from reality then the business is actually accepting a higher risk.
What oes that mean? It means that we have to be better at forecasting probability and impact. And part of doing that means security metrics.

As far as training to be a defender, this a another weak spot. Universities still don't train programmers in secure programming. Programmers are being allowed to learn it wrong, and this needs to be fixed.

All of your talk about patching and whitelisting is fine and good, but it is only tactical, and as worthless as a strategic direction because it is what we would call "bolt-on security" it is after the fact. GOOD in a defense in depth approach. But the strategic direction is building apps and systems correct in the first place, as Microoft used in their SD cubed scenarios, Secure By Design as the fist step.

Craig Wright said...

True, defense in depth is a good approach, but he fact remains, whitelisting and patching alone do more than any other action as well as not costing the earth.

Patching is not a bolt on, but needs to be a part of an operational strategy.

Next, there is no way to "build apps right" all the time. There is better as MS have started doing, but there is nowhere close to perfect.

As for metrics... Well I disagree. Something I have been working on for some time and there are immense volumes of data out there.
What we lack are people who can do anything with that data