We have a fundamental flaw with security. We like to argue that we need to have people that can think as the attacker to be successful as a defender, but this cannot be further from the truth.
Yes, as Sun Tzu stated, it is well suited to the field to know one’s self as well as one’s enemy, but this means we need to start to understand each in their own way. This is flaws and all.
Security is a function of the system and organisation it is designed to defend and it is always an economic function (even in the military). There are no absolutes and what is “cool” is rarely the main concern. As much as malcode such as Flame captures the news, it is of far lower concern then the simple issues constantly confronting us.
Again and again we hear tails of APTs, Stuxnet and more in the News. We as security “professionals” help and aid in the propagation of this myth. The truth is that it is the boring mundane things that really make the true difference.
Patching, White-listing of applications and other simple and mostly overlooked controls are of far more use than the majority of cool toys being pushed on us.
- Yes, these are far sexier than patching and effective policy controls.
- Yes, awareness can be boring.
- Yes, educating people is an endless process.
That stated, these are things that really make a difference.
That stated; these are things that really make a difference.
When “we” as an industry finally start to look at and address the real issues, then and only then will we start to make headway. Only then will we manage to gain a foothold against a rising tide of crimeware and attacks.
For all of the news of new attacks, of zero-days and more, it still remains the systems that have not been patched, the applications that we have allowed off a white-list and poor practice that cause most compromises and breaches.
When we think of critical infrastructure attacks, it is the simply wrong belief that these systems are OK as they are and that these do not need to be patched that leaves them vulnerable. It is the failure to have basic controls and updates, not the growth of new forms of attack that places these systems at risk.
I was told the other day that “old attacks” do not matter and that these could never be used to attack anything. This is the problem with this industry. Old attacks work. New attacks cost money. APT and zero-days are expensive to both create and deploy. They are the proverbial nuclear weapons. Once they are used, they are depleted. They may be used, but the use is extremely controlled and limited. For each of these, there are thousands of not millions of conventional attacks. This is attacks using old vulnerabilities.
- When we as security professionals start to understand that security in business is about business, we will start to make headway.
- When we start to understand that there is no absolute level of security, we may start to win battles.
- When we start to see all security as an economic calculation based on risk, some of which are accepted and not all of which can be fixed, we will start to create secure systems.
But whilst we leave the basics of security for that which is “cool”, fun and trending, we have left the path to creating secure systems and left ourselves open to attack.
Security is not about creating perfection, it is about creating resilient systems that can survive a certain level of attack. Aim for perfection and aim to always lose.