Slashdot Mirror
The Failure of Information Security
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)
The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?
Furhtermore, the list of data lossescan be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
The story makes some good points, but blames the wrong people.
There are shills on slashdot. Apparently, I'm one of them.
Information security is failing also because information needs to be managed and addressed by non technical people! Also known as "normal people".
Techniques like phishing or social engineering, as well as a good dose of stupidity and ignorance, can make security technologies useless!
Like writing down on leaflets PINs and passwords or communicating them via email.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.
It must be someone's fault it's not perfect. Okay, I don't want a tomb but be able to interact with the outside world, so I still want doors and windows. But I think the contractors are secretly conspiring together and failing us security wise, because there should be completely unbreakable windows & non-pickable locks on the marketplace. WAAAAH!
"We as security professional are drastically failing ourselves, our community and the people we are meant to protect"
BS
You cannot solve cultural problems with technology:
http://news.bbc.co.uk/2/hi/technology/3639679.stm
In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.
To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.
The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.
You and your wife spent some time preparing and getting some type of defense up AND maintaining it. The great majority of people I deal with think that they can install Windows update once and they will be good. Or my favorite, "I have XP (windows) so I don't know what could have gone wrong." People click where they shouldn't click, go where they shouldn't go and do things without thinking.
The only good analogy to help people understand the importance of security updates is vaccines for children. They may have to go back periodically to the Doctor to make sure all their shots are up to date. And if you think of the web as a disease ridden place, then it would make sense to wear some type of protection when you muck through it.
You hit the nail on the head here. Three things are needed for a mostly safe computer experience:
1: Some basic user education (could be the hardest one)
2: Tools like Firefox, AdAware, Windows update, Firewall. Get em, use em.
3: UPDATES!!! what good is a vaccine if it is out of date? Get regular updates for Windows, Firefox, and other tools.
Most people are clueless when it comes to all three.
I've specifically decided not to go for any security certs because of hoo-haw attitudes demonstrated in articles like this. As a regular sys-admin, no one listens to my recommendations in the first place, why ratchet up the accountability by being a certified scapegoat?
This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.
Don't have kids, do you?
Most security problems do not enter the company through the company firewall/mail gateway. They are *carried* into the building on employees (surprisingly often: managers) laptops. Laptops that are used at home for the kids to play with, browse the web or whatever. Or for the own employees entertainment.
I don't have kids but a while ago I had a friend visit me, together with her 12-year old daughter. We kinda lost track of her whereabouts and found her behind my company laptop (in my study) on MSN or something like that. I run Linux and was logged in as myself, not as root, so the damage that she could have done to the OS was minor, but she got told off anyway. She now knows next time she'll have to ask and she's got her own account now on my private desktop. But how many people will happily let their or other peoples kids use a company laptop while being logged in as Administrator?
Another poster suggested that all laptops should be on a separate network, and I presume he also meant that this network should be firewalled off from the rest of the company network in such a fashion that only the standard applications/protocols are allowed. (Better yet: firewall each laptop off from the other laptops.) Unfortunately, in large companies with a mixed desktop/laptop environment, this is incredibly difficult to achieve.
If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.
:)
To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.
Is this little traffic light on your router blinking 24/7?
With the first link, the chain is forged.
Especially when they're senior management types? You can bitch all you want to anybody you can find who'll listen to you but at the end of the day most companies place senior management and they're desires ahead of those of the IT department: if Company Director X declines to follow IT dept guidlines on security procedures, there is nothing IT can do to him and his activities which won't result in the IT guys being fired.
So some Top Dog asshat opens a gaping hole into the company's system and there's not a damn thing IT can realistically do about it, bacause in most cases they are too far down the pecking order to get their way, but will still be blamed for the breaches and disasters that follow anyway.
What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.
The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Information Risk Managers didn't fail; their profession matured to the point that they realized that there is no such thing as "Security" and attempting to secure information from all commers is doomed to failure. The goal of our profession is "Risk Management" which involves:
Identifying what is at risk.
Identifying the threats to the assets.
Assisting the business assign value to those assets. (Yes the business and not the Security prof. is end decider on value)
Analizing the risk to those assets from identified threats
Assitsting the business in a risk assessment.
Information Risks are just that Risks. Business have been making decisions around business risks for ages and the successful ones stay in business. Nothing new here move along move along.
If you still think you can provide "Security" then you are indeed a failure; however, with some new training and a slight ego reduction you can start over as a Information Risk Manager.
If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.
When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.
In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.
The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?