Slashdot Mirror
The Failure of Information Security
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)
The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?
Furhtermore, the list of data lossescan be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
The story makes some good points, but blames the wrong people.
There are shills on slashdot. Apparently, I'm one of them.
We as security professional are drastically failing ourselves, our community and the people we are meant to protect.
This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
Global warming is a cube.
Information security is failing also because information needs to be managed and addressed by non technical people! Also known as "normal people".
Techniques like phishing or social engineering, as well as a good dose of stupidity and ignorance, can make security technologies useless!
Like writing down on leaflets PINs and passwords or communicating them via email.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
It is definitely not our duty to protect companies.
It is our duty to protect our fellow human being and the job market.
This requires plenty of need for technical support to help stymie the massive influx of computer based attacks.
We have already come so far. We are enjoying a surge in business and growing salaries thus it is our mandate, first and foremost, to protect our fellow workers.
Free a port today.
I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.
Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.
It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they are all important types of busses, no?), then data people have to be better trained and regulated like power and control people. Ah, but it's a nascent profession...
The Coming Singularity compells us to get our security act together before all is lost and our technological world collapses.
Security in artificial intelligence is approaching a winner-takes-all moment of truth on which hangs the fate of the world.
The Joint Stewardship of Earth under human and robot control requires mutually assured defusing (MAD) of security issues for the legacy human society and the supervenient robot society.
I live and thrive on the inability of people. It's my job to find and eliminate trojans, worms and other malware.
Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.
Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?
Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It must be someone's fault it's not perfect. Okay, I don't want a tomb but be able to interact with the outside world, so I still want doors and windows. But I think the contractors are secretly conspiring together and failing us security wise, because there should be completely unbreakable windows & non-pickable locks on the marketplace. WAAAAH!
The management level corporate posture towards IT security goes like this:
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.
In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.
And now IT Security professionals are to blame?
What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????
"We as security professional are drastically failing ourselves, our community and the people we are meant to protect"
BS
You cannot solve cultural problems with technology:
http://news.bbc.co.uk/2/hi/technology/3639679.stm
Security is pretty much at the point where we want and are prepared to pay ... and in a world not quite perfect :)
... it's the end users who are responsible for this dismal state, IMHO. The article makes the case that despite a growing amount of software designed to protect us, it is not working as well. I would argue that the software and implementations probably ARE working better than they used to. However, as software gets better and easier to use, people spend less time learning how to use it simply because they think that it is better and easier to use than what they used to have. So, firewalls are not configured properly, AV programs are not run frequently with the user paying attention, and of course people install crap thinking their security software will protect them. Then there is the old social engineering problem. And there is nothing that security professionals can do against lazy users. Of course, I am not addressing some of the higher level network-security-in-a-corporate-setting arguments the author makes, but I myself am just an end user, so anything I could say to that would be, well, irrelevant.
In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
In the real world a society has only got to deal with a limited set of criminals. The criminals in that society. Not that many nigerian cat burglars who hop over to europe for a quick breakin (I am not going to touch immigration problems today thank you, it is to hot for a flamewar).
But on the net the society is 6 billion and anyone of them can try to see if you left your window unlocked.
Yes it is sad that in the real world you have to put your bike behind a locked fence and the bike itself locked and chained or be told of by the police for leaving your bike to be stolen in your own garden but that is the way it is.
Either we are willing to pay for massive more police, more restrictive laws and larger jails (and some might say freedom again a subject I am not going to touch today) or we have to live with crime.
We could easily secure our computers and the information they contain but to do so would require a lot more work on our part, remove some easy access as well as require measures against people who leave things open.
Did you know that in the real world the police spends time informing people about house safety? That there are even laws against making theft to easy? That is the reason why all shoes on display outside are either left or right ONLY (I never remember wich). Cause a shopowner that has both outside and gets them stolen will receive very little sympathy from the police.
Yet we keep runnings windows, install every flashing free program we find and open emails that promise us naked pictures.
When the user wants to do insecure stuff there is little you can do to stop them.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I usually don't post but this article is really too much.
In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!
News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?
Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.
I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.
a few of the replies are already pointing to the human element. a while back, someone made an information security analogy to the use of seat belts.
it went kinda like this:
- used to be that seat belts did not exist, yet cars could travel pretty fast (40-50mph). back then, if you crashed you pretty much assumed you ate the dash.
- then seat belts were created, but people still ate the dash.
- then belts were required in all cars, but the dash still tasted good.
- then belts were required for use,
- and air bags came out (ha ha).
--> ok. i got no stats, but it's possible that less people eat dash today because of better default "security" settings in cars *and* better use by the users. oh, and some where along the way, drinking and driving was considered bad.
(pretty sure i first saw this example in a presentation by m. ranum)
--
"I promise to be different..."
I promise to be different...
The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.
To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.
The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.
Seriously, I'm asking. :-)
Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.
They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.
Other than that, there isn't much security software installed. I don't even have an anti-virus.
I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.
The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.
(As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).
So what's the problem? Is it bad habits, or is it really that bad out there?
Phemur
Also other security. Things are getting stolen Learn to live with it. That does not mean nothing must be done. We must do things, but also realize that things will get stolen, no matter what.
The thing I see is that almost nobody deals with what to do IF things get stolen. I had a talk with somebody and asked him what he would do if he knew that his database was stolen and competistion got hold of it. His answer was: nothing.
Perhaps there lies the problem. People are not being punisched if they do something wrong. They get fired when they watch pr0n at their job, but no real ssue if they use an usnsecure password. Instead the company sues 'the hacker'.
No resposabilty is taken.
Don't fight for your country, if your country does not fight for you.
The failings of information security are (99.99% of the time) not the fault of the officers within that department. The lack of management buy-in to support policies is our number one problem. The technical teams (server managers, network support etc) see us as a hinderence which must be battled and argued with (sometimes just for the hell of it) every step of the way. We offer numerous suggestions on how we can integrate our teams and communicate better, and then we're promptly ignored. We offer to help develop secure baseline builds for OS installs and router/switch configs and then are basically told to "get stuffed" by the people in those teams. Management have little to no interest in the concerns we document and supply to them, and even when the issues are taken up the food chain they get sidelined as it is always deemed too much hassle. We invite external vendors in to help us develop a patching procedure and customise our backup processes to suit our environment, then the server admins do something completely different claiming that they don't want to be responsible for maintain the supporting documentation. HR refuse to update their AUP acceptance process because they don't want to manage the overhead, despite us advising them numerous times that if the users have not acknowledged the policies then prosecuting "unauthorised access" under the Computer Misuse Act is made so much more difficult.
Bet for every $100 spent on the paperwork, less then $1 is spent actually securing systems. The IT security officer's budget dwarfs the dissemination budget and our information saves lives.
We have more contractors reviewing C&A's then programers creating code to deliver our information. Out of this army of contractors, there is a single USG employee who is an outstanding system security engineer and is someone we can go to for a technical solution. And the line outside this guy's cube is long.
And the joke of it all is after all this review, GAO still gives us a grade of D-.
The problem these security experts have is that they have workmanship pride, and human decency. These things are drawbacks in the capitalist (especially the US) system. It is designed to maximise capital growth. It does not maximise human happiness or the growth of humanity, though a lot of people who benefit from the system to the detriment of others would like you to believe that.
The perfect slave is one that has been convinced that the shackles are for his own good.
The worst thing you can do when you find yourself in a hole is to keep digging. If you are unhappy with your security infrastructure, then change it. Don't just 'accept' it as 'dismal' because your software vendor pimps that out as your only option. For all I know the person reading this right now has my personal information on their network somewhere, and the only thing between my information and some cracker is a piss poor security decision they've 'accepted'.
Join the Slashcott! Feb 10 thru Feb 17!
Your security is only as good as how thorough your actions are in combating the problem.
Unfortunately, you must protect your data constantly and train your staff accordingly. One weak link can ruin everything.
He who knows best knows how little he knows. - Thomas Jefferson
We as security professional are drastically failing ourselves, our community and the people we are meant to protect.
Most of them just fish on securityfocus.com and keep all the machines with the latest patches, thats all they can do. They do not have the knowledge or tools to further explore the realm of computing and networking underneath the watched OSses, no way to gain further insight of what is really happening there, they can't ever be sure any data leakeage isn't occuring.
I've specifically decided not to go for any security certs because of hoo-haw attitudes demonstrated in articles like this. As a regular sys-admin, no one listens to my recommendations in the first place, why ratchet up the accountability by being a certified scapegoat?
This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.
Aha, so Noam Eppel is craving for attention again. What is it he needs this time, then? Job, money, 53x, foot massage?
Or has he finally realised that They Are Out To Get Him(tm)?
His doomsday scenario reminds me of an "interesting" article on uncoclypedia: http://uncyclopedia.org/wiki/Bird_Flu
Only, the article on uncoclypedia is funnier...
There is no way security can really improve while MS Windows is on the majority of the desktops out there. I'm sure everyone of these security professionals must know this but why kill the golden goose?
spoonerize "magic trackpad"
Once you create economic opportunity under this system, you create dependants who will fight to maintain it.
Security is HARD when it's architected into a system from the beginning. Security is impossible when it's an afterthought. Translation: The situation will not improve until the the current crop of operating systems, applications, utilities, etc., are completely replaced by attrition with new code that has security at its core and foundation - that was *architected* to be secure. Of course, security architecture needs to start at the top. 99% of what's out there now, if it has any security at all, had security "bolted on" as an afterthough. This problem is not going away anytime soon. I'm not holding my breath. But, in the meantime, I just consider it "job security" and constant triage.
It's not the failure of the security professionals, it's the failure of management to not respect the wishes of the system security. I can't tell you how many times I've seen a perfectly good security solution just get circumvented by management, or else the security people are fired. If management people took security seriously, rules would not be broken that way.
stuff |
how about doing the best job we can with what we are presented. Security can't happen over night and with firms just now starting to hire security professionals we have to go into their business and first geta grasp on their current practises. from there you have to work at changing years of insecure procedures while at the same time working on the security of the tech side with the very little funding you are allocated.
I guess what im asking is are we actually failing at our job? or are we just taking longer to do it then we would like.
If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.
:)
To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.
Is this little traffic light on your router blinking 24/7?
With the first link, the chain is forged.
Especially when they're senior management types? You can bitch all you want to anybody you can find who'll listen to you but at the end of the day most companies place senior management and they're desires ahead of those of the IT department: if Company Director X declines to follow IT dept guidlines on security procedures, there is nothing IT can do to him and his activities which won't result in the IT guys being fired.
So some Top Dog asshat opens a gaping hole into the company's system and there's not a damn thing IT can realistically do about it, bacause in most cases they are too far down the pecking order to get their way, but will still be blamed for the breaches and disasters that follow anyway.
I think the article's case for eventual total security breakdown is a bit overstated, but not wildly so.
The question that we should be asking is ... If current trends continue, ten years from now will we be able to safely connect to the Internet (or any similar network) for any purpose whatsoever? IMHO, That's a really good question.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
"Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
I work in an industry that should take security more seriously...
However, we didn't even get any MONEY last year from the budget, and this year I imagine it gets axed as well. No matter how hard we try, things stay in reactive mode. Yes, I suppose it is good that we've done our job well enough to stave off any disaster, but given the pittance we get budget-wise, I doubt this continues forever.
I also doubt I'm alone. We have little to no upper management support, and jobs that should be in security like some VPN, web filtering, malware softare, etc. are in other groups.
It's a bit hard to do your job when people think security doesn't deserve any support, right?
So I go to read the article, and I notice my browser window title bar reads:
Security Absurdity.com > Security Absurdity; The Complete, Unquestionable, And Total Failure of - Microsoft Internet Explorer"
Now was this an accident or did the authors deliberately lengthen their article title to make this happen?
The more you regulate a company, the worse its products become.
What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.
The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Security professionals are enjoying a surge in business and growing salaries
Uh? Since when? Security has been undervalued for years and there are two main reasons why the security of almost every company is shoddy at best: a) not enough budget and b) the human factor (i.e. invent a foolproof system and the world will invent a better fool).
Assorted stuff I do sometimes: Lemuria.org
Information Risk Managers didn't fail; their profession matured to the point that they realized that there is no such thing as "Security" and attempting to secure information from all commers is doomed to failure. The goal of our profession is "Risk Management" which involves:
Identifying what is at risk.
Identifying the threats to the assets.
Assisting the business assign value to those assets. (Yes the business and not the Security prof. is end decider on value)
Analizing the risk to those assets from identified threats
Assitsting the business in a risk assessment.
Information Risks are just that Risks. Business have been making decisions around business risks for ages and the successful ones stay in business. Nothing new here move along move along.
If you still think you can provide "Security" then you are indeed a failure; however, with some new training and a slight ego reduction you can start over as a Information Risk Manager.
As an IT professional and someone responsible for systems all over the US I must emphatically say - BULLHONKERS.
If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.
When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.
In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.
The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?
If only the management and "IT" dept at my place of work could be convinced of this fact. A security professional, with a useful budget could have a field day in finding issues here - hell, I could show them a few myself.
Despite having been told that various passwords are insecure, said passwords still haven't been changed "because it is easier". This is even the case where such passwords do not even conform to their OWN password and computer security documentation. Or where the method of implementation is poor - not enabling shadow passwording, having max significant characters of 8 on a linux box, using telnet for logins oven the LAN rather than ssh, lack of coherent security policy for laptops until about last year, etc, etc.
You can lead a horse (yourself) to water, but you cannot make them (yourself) drink.
since when is this news, this is repeating what weve already known since windows 95.....
Often information security is a comprimise, we try to secure a company as much as they will allow. I've found that politics is a major factor and very few of a companies employee's like to be reigned in. Add to the fact that many software applications can't be locked down very much or they will cease to function, and you have a comprimised security. It's balancing game, try to secure as much as possible, within the limits a company sets for you. Besides, as we all know, there is no perfect security system/method, if a hacker wants to get in bad enough, he will find away. We just try and make it as hard as possible.
It is all too easy to point the finger. The 'vulnerabilities' listed are in fact many tiered and go back to the founding of the 'internet.'
It is affected by all the layers of the 'net
Transport:
Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.
OS Architecture:
Consider that the number one (in terms of number of users) OS company didn't consider security as part of their OS architecture until their 2000 release. Even then it was limited by the 'need' for backwards compabitility with previous systems.
Application Code:
Ever notice that the SDLC doesn't have any security concepts as part of it? While there are now methodologies (such as CLASP) that help introduce security into the dev process, we still have a culture that is blissfully uninterested in security. A lot of developers have no idea what race conditions, overflows are - much less how to prevent their occurance.
Management Layer:
Product managers only care about getting something 'shippable' out the door by their magical ship date. Bugs and such can be fixed 'later.' Most suits only started caring about security (other than as a marketing tool) when their firms started getting slammed in the mainstream media and it started to affect the value of their stock options.
End users: While we absolutely have to have pity for grandma who just bought her new computer, somehow people shut their brains down when they get infront of the monitor. If someone walked up to you in the street and said 'hey - give me your bank account information so i can wire you some money from my country and you get to keep some' they would call the police. But when it's in an email...
Media: The media has had some good benefits in terms of making security an issue, but they are also good at causing the management teams to focus their energies on the wrong problems. Remember a few years back when the DDoD attacks started happening? the news reported that the big content providers were getting hammered. The real story at the time was the botnet that launched the attack. Botnets are in the media now - but a couple years too late.
Basically there is no one person or group to blame. The entire system is fundamentally flawed on all the levels, and the results are cummulative.
"Omnis tuus capsa sunt inesse nos"
Just about every one of them are clueless arrogant blowhards, with no understanding of the world around them. Sitting around staring at BugTraq each day and then going into an apoplectic frenzy when a new issue shows up.
"Here here here here here!!! There's a new threat! We have to put this untested patch on our servers immediately!!!"
"Uh, this patch is for Windows. Our servers are running Linux."
"Linux can run Windows apps through em-em-emulation. We have to patch it!"
"Yes, that's true, you can install an emulator on Linux and run Windows apps. However, these are production servers and we AREN'T RUNNING any Windows apps."
Next thing you know, you're spending the rest of the afternoon installing Wine or VMware, just so you can apply the patch. Fucking 'security' guys. All lame ass grabbers. "Oh crap, make sure you hold onto your butthole. Otherwise it's possible you might shit your pants unexpectedly. I saw it on BugTraq."
Anything that is beyond a certain level of complexity is very likely to be insecure, in my opinion. Most human beings are not smart enough to violate the KISS principle regularly and get away with it, but programmers tend to think they are infallible. Building one's code on top of someone else's more complex code doesn't really help in terms of security, as you have to either blindly trust the simplified abstractions of the more complex code or so thoroughly know it that it might as well be your own. Please stop making frameworks which make it "easy" to make complex and insecure and SLOW systems. You are saving in development costs at the programmer level, but everyone ELSE is paying for that 100-fold. Computers are tens of thousands more times more powerful than when I started using them, but "professional" programmers have reduced the potential increase in utility to a factor of maybe a hundred, due to lost productivity. Thanks programmers, great job there. As a final fitting ending to the article, the comment system on that site does not work.
Hey, do you know why some programmers now want to use web based applications? Because java simply isn't slow enough to overcome recent hardware performance increases. Damn I hate you.
The fault lies on many fronts for the failure of information security, and all of the other disciplines of security. In the past the security profession had a limited scope. The industrial park security guard was the American stereotype for the profession. Since, the security profession has become more specialized. The multiple disciplines like information, personnel, industrial, education and training, intelligence, and system security engineering are only a few examples of the specialization. With the specialization, more training and education is required to fill these more technical positions. So where does security start to fail. From my experience I have seen all of the specialized security positions create single point failures. What this means is only one person can do this function and when they are away TDY, vacation, or home sick, the position becomes a single point failure because there is no reach back. With limited personnel due to doing more with less, and the one position one person mentality, the failure of security becomes apparent. This also impacts the ability for security managers to discipline the only person they have doing the job, because the risk of losing the employee and the time replacing them could outweigh the benefit of losing them. It also creates time impacts and inhibits security professional the ability to conduct reviews of there contractors, and their own processes to ensure compliance. This leads the contractors to complacency. It impacts the ability to allow security professionals to receive training on new culture changes and stay current with the latest policies and directives. The truth is management needs to step back and realize that doing more with less is really doing less with less and creates failure.
TFA says "AvanteGarde deployed half a dozen systems...average time until successful compromise was four minutes." If you read the AvanteGarge article you find that the systems with a firewall either ZoneAlarm or SP-2 were not compromised (neither were the Linux or Mac machines). He totally missrepresents the article. While he has some valid points he starts out his article like a troll.
Speaking as an Information Security Professional:
If more IS professionals spent their time actively understanding their clients' business drivers and protecting their interests, rather than submitting links to Slashdot for their Google Ads-linked blogs, mayhaps we'd be in a slightly better position.
We don't need more Steve Gibsons. My two incendiary cents.
M
trustedworlds.net - gaming, security, and the gunk that lives in between
More troublesome is if a problem happens later, and although you are not held responsible (having sensibly covered your ass beforehand as above), you're told to "cover it up". If your company has an omsbudsman, a rapid visit is in order; otherwise, lawyer up and find a new job... fast.
//Information does not want to be free; it wants to breed.
I'm waiting for part 2. I assume that will be the recommedations to "fix" the security mess we are in. We should see some good anti-MicroSoft bashing then.
zenray
What with more and more banks in India becoming online, some are truly online i.e you can do whatever you want as thought you are present physically at their branch. Security needs to be given prime importance
1) All ecommerce websites created should be certified by a TESTING authority before they are allowed to go online
2) Even after certifying The TESTING authority should carry random unannounced remote tests once every 3 months
Chris ,
Php Programmers.
I first read the headline as "The Failure of Information Society", and I thought to myself, "Nah, they didn't do too badly. You still hear one of their songs once in a while." *doing*
*slight crashing sound*
According to my contact in R&D at Evil Geniuses for a Better Tomorrow, the ray also works quite well over CAT-5 ethernet, due to the similarity to phone wire. Adapting it to run over 802.11a/b/g/pre-n wireless took more work.
//Information does not want to be free; it wants to breed.
Congratulations, Noam, you did it! You registered a domain for the purposes of posting a little rant to indict the entire Security Profession. Then you got Slashdotted. Bravo.
Good thing you included a link to your consulting services in the article byline. Otherwise, people wouldn't know where to go to hire such an insightful luminary. You were also smart enough to make your article inflammatory against the entire security profession, just to drive readership. Again, well done.
The truth is, this could have been a half-decent article that I might share with my C-level folks if it weren't so full of accusations against security professionals. In fact, it would have made a half-decent rant if it weren't so full of inconsistencies and half-truths. What we are left with is drivel, and marketing-driven drivel at that. At least have the courage to post it on your site or your company's site so people can identify it for what it is.
After reading your article, you were so successful in getting me enraged that I had to know, "Who is this jerk, Noem Eppel?" I did a little research.
Are you the same Noem Eppel who said:
The onus should be on the software and security industry - those that are responsible for designing the products - to make software which is not only safe to use by default, but easy to secure.
In 2004?
But today says:
We as security professional [sic] are drastically failing ourselves, our community and the people we are meant to protect.
Who next will you point your finger at?
I think we can all agree that the state of security is bad, but your insinuation that security professionals are some kind of slackers, content with their own failure because there are "enjoying a surge in business and growing salaries" is disgusting. If you want to indict the character of a profession, you'd better have stronger ground than that to stand on. If you said the same thing about doctors being slackers who are content with their failure because diseases are on the rise, you would be mocked and scorned.
Do you know what gave you away, Mr. Eppel? The constant barrage of unrelated statistics loosely stitched together to reinforce your 'expertise'. Having a day job myself, I don't have time to refute your editorial line by line, so here's my favorite from your article:
In some cases, even our best recommended security practices are failing.
In a recent experiment, AvanteGarde deployed half a dozen systems in honeypot style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet. The average time until a successful compromise was just four minutes!
Which information security professional thinks that "our best recommended security practices" includes deploying systems "using default security settings".
Of course, we are assuming that you are an information security professional. I think it telling that you post no CV, no credentials, not even an email address to offer up your authority to speak on the subject. You use the pronoun, "we", to claim your place among the accused, but offer no evidence, convincing or otherwise, as to why you should be considered a peer among the noble practitioners of this worthy vocation.
Mr. Eppel, you have done what no other journalist, blogger, cyber-idiot, or troll has managed to do. You have insulted my profession and me beyond excuse. I've never felt the need to respond to anything as strongly as your piece of drivel.
I'm posting this reply to Slashdot rather than your site, because I don't believe you have earned the traffic your article has already generated. Although I may be modded down, I would gladly give every bit of karma I have to see this garbage ripped from the web and you forced to apologize publicly for your outrageous remarks.
Go read COBIT or something and leave those of us who are trying to make things better alone.
Warmonger. Troll. Charlatan.
Sigs are for lusers. Hey! wait a second...
Give a hoot! Care about IT!
P2P Anonymous Distributed Web Search: http://www.yacy.net/
From TFA: . It was able to perform 256 DES operations in 56 hours.
Wow. 256 operations in 56 hours - that's what 4.57 operations per hour, give or take?
--Dg
Contrary to what people think, security is about managing risk--not getting rid of it in its entirity.
Have you tried to get a CEO to use a secure password even while running libcrack? Good luck. They will tell you that you work for them, and you have to do what they want.
So you always have at least one user who is an exception to the rule and considers what they do to be an ACCEPTABLE risk.
I got a call from "citibank" the other day on my office phone. They said they have a pretty good offer to give me and went ahead and gave me a fantastic offer. Then they asked me my full name (ahem!). And then they asked some more details (innocuous ones) until finally they asked my credit card number. That's exactly when I hung up. I know people who would happily give out this information without even realising what's happening!
There are also instances of people being asked to fill up some forms with ask too many personal details, and I have seriously wondered - "what if this falls in the wrong hands".. they could use that info to break open *most* passwords to my mail and other internet accounts.
Infact my Manhattan card account personnel only asks for my name, address and telephone number for verification! Jesus!
So my question is, that if somebody does a security breach via social networking; how is it that "information security" has failed?
I don't have any stats for DDoS attacks, but the evidence suggests that recruitment of bots has not diminished. Tens of thousands of bots for a low skilled bot herder is common. Hundred K botherds exist.
One vector for bot recruitment is browser exploits. An astonishingly high proportion of websites host hostile pages - by design or through being compromised themselves.
I'm wondering what it will take, how much the loss will have to be, before companies start wising up to security. Maybe a multi-billion dollar class action suit against the credit card company that let their CEO carry home everyone's account on his laptop. Nah, not even then. Companies will continue their bonehead insecurity practices until the day civilization collapses to pre-1969 levels.
A Government Is a Body of People, Usually Notably Ungoverned
No, it wasn't. There are many scholarly books that detail the complicated conditions that brought about the Internet; I suggest you find and read a few. While intertwined with the cold war, and the product of research into how such resiliant communication might be possible, that wasn't the intent of the effort that began ARPAnet and the Internet. Hafner's "Where Wizards Stay Up Late: The Origins Of The Internet" is lay-readable and on my bookshelf, but there are others.
The claim that the Internet could survive a nuclear strike has been refuted several times. In theory, the construction of the internet could be expanded to withstand a nuclear strike; in practice, there are currently too many single points of failure in routing and operation located too close to prominent nuclear targets. It probably wouldn't die outright (many small LANs might still work, assuming they survive the initial EMP, especially where a paranoid Sysadmin still maintains an /etc/hosts file), but I doubt you'd have any nodes able to connect to more than 25% of the surviving machines... if that.
The initial nodes were "trusted", but not because they were secure military machines. Most of the earliest (pre-1970) network sites were universities.
As for your claims about the media greatly understates the depth of their cluelessness. The last mass media piece about computing that got it right was "SPACEWAR : Fanatic Life and Symbolic Death Among the Computer Bums," published by Rolling Stone in 1972. I've seen nothing with comparable understanding published in national newspapers, magazines, or broadcast (TV/Radio) that's gotten the details so consistently right since.
//Information does not want to be free; it wants to breed.
Personally, I think the best way for a company to deal with user stupidity is twofold. First, give a class that teaches basics such as password security, how to use a virus/spyware scanner, polite email etiquitte. Have it catered, pay for their time. Then at the end, pass out printed material that matches what was covered, and announce anyone who causes a loss of productivity due to not following the guidlines of the acceptable use policy will be warned once, then fired. I have a pet theory. I call it the "Shit Smeared Stall Effect". No one would smear their home bathroom with feces. They have to [i]live[/i] there after all. But a public restroom will probably be used only once per day. If you defile it, it won't effect you since the cleaning crew comes in that night and pretties it up. These people don't care about their work computers. What's the worst that can happen? IT takes their comp off to be re-imaged, and they sit and twiddle their thumbs for a while? That's hardly a deterrent.
Im fairly new in the world of IT. How do eye scanners or fingerprint scanners fare?
Im fairly new in the world of IT. How do eye scanners or fingerprint scanners fare? Will diversity not solve alot of these problems? At least to a certain extent. And if Linux was used it would also save a hell of alot of money... \forgive me im not an expert but isn't it possible to secure linux much more than say Windows. Why isn't Linux being presented as a business case by these CIOs?
I agree with other comments that it's ridiculous to blame "security professionals". By the way, who are security professionals? Aren't they the people who have to try to make existing software secure? He's not talking about software developers, he's talking about IT staff. The reason there's no security is that the OS everyone uses doesn't provide much. He mentions that if you buy a brand new computer off the shelf and plug it in to the Internet, it will immediately get hacked. That's not the "security professional's" fault, that's Microsoft's fault. The fundamental problem is that the software that underlies the entire infrastructure wasn't designed with security in mind. The security professionals can work as hard as they want and they're never going to fix the problem. The solution is to fix the infrastructure, which means replacing Windows with something built with security in mind. Windows is too big and complicated to just tack security on somehow. The various products (Mcafee, etc.) that try to filter everything Windows does are too intrusive and cumbersome and half the time when Microsoft tries to fix the OS itself they break something.