Slashdot Mirror
The Failure of Information Security
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)
The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?
Furhtermore, the list of data lossescan be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
The story makes some good points, but blames the wrong people.
There are shills on slashdot. Apparently, I'm one of them.
We as security professional are drastically failing ourselves, our community and the people we are meant to protect.
This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
Global warming is a cube.
Information security is failing also because information needs to be managed and addressed by non technical people! Also known as "normal people".
Techniques like phishing or social engineering, as well as a good dose of stupidity and ignorance, can make security technologies useless!
Like writing down on leaflets PINs and passwords or communicating them via email.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.
Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.
It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they are all important types of busses, no?), then data people have to be better trained and regulated like power and control people. Ah, but it's a nascent profession...
I live and thrive on the inability of people. It's my job to find and eliminate trojans, worms and other malware.
Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.
Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?
Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It must be someone's fault it's not perfect. Okay, I don't want a tomb but be able to interact with the outside world, so I still want doors and windows. But I think the contractors are secretly conspiring together and failing us security wise, because there should be completely unbreakable windows & non-pickable locks on the marketplace. WAAAAH!
The management level corporate posture towards IT security goes like this:
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.
In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.
And now IT Security professionals are to blame?
What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????
"We as security professional are drastically failing ourselves, our community and the people we are meant to protect"
BS
You cannot solve cultural problems with technology:
http://news.bbc.co.uk/2/hi/technology/3639679.stm
In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
I usually don't post but this article is really too much.
In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!
News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?
Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.
I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.
The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.
To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.
The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.
Seriously, I'm asking. :-)
Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.
They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.
Other than that, there isn't much security software installed. I don't even have an anti-virus.
I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.
The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.
(As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).
So what's the problem? Is it bad habits, or is it really that bad out there?
Phemur
I've specifically decided not to go for any security certs because of hoo-haw attitudes demonstrated in articles like this. As a regular sys-admin, no one listens to my recommendations in the first place, why ratchet up the accountability by being a certified scapegoat?
This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.
If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.
:)
To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.
Is this little traffic light on your router blinking 24/7?
With the first link, the chain is forged.
Especially when they're senior management types? You can bitch all you want to anybody you can find who'll listen to you but at the end of the day most companies place senior management and they're desires ahead of those of the IT department: if Company Director X declines to follow IT dept guidlines on security procedures, there is nothing IT can do to him and his activities which won't result in the IT guys being fired.
So some Top Dog asshat opens a gaping hole into the company's system and there's not a damn thing IT can realistically do about it, bacause in most cases they are too far down the pecking order to get their way, but will still be blamed for the breaches and disasters that follow anyway.
What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.
The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.
When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.
In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.
The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?
It is all too easy to point the finger. The 'vulnerabilities' listed are in fact many tiered and go back to the founding of the 'internet.'
It is affected by all the layers of the 'net
Transport:
Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.
OS Architecture:
Consider that the number one (in terms of number of users) OS company didn't consider security as part of their OS architecture until their 2000 release. Even then it was limited by the 'need' for backwards compabitility with previous systems.
Application Code:
Ever notice that the SDLC doesn't have any security concepts as part of it? While there are now methodologies (such as CLASP) that help introduce security into the dev process, we still have a culture that is blissfully uninterested in security. A lot of developers have no idea what race conditions, overflows are - much less how to prevent their occurance.
Management Layer:
Product managers only care about getting something 'shippable' out the door by their magical ship date. Bugs and such can be fixed 'later.' Most suits only started caring about security (other than as a marketing tool) when their firms started getting slammed in the mainstream media and it started to affect the value of their stock options.
End users: While we absolutely have to have pity for grandma who just bought her new computer, somehow people shut their brains down when they get infront of the monitor. If someone walked up to you in the street and said 'hey - give me your bank account information so i can wire you some money from my country and you get to keep some' they would call the police. But when it's in an email...
Media: The media has had some good benefits in terms of making security an issue, but they are also good at causing the management teams to focus their energies on the wrong problems. Remember a few years back when the DDoD attacks started happening? the news reported that the big content providers were getting hammered. The real story at the time was the botnet that launched the attack. Botnets are in the media now - but a couple years too late.
Basically there is no one person or group to blame. The entire system is fundamentally flawed on all the levels, and the results are cummulative.
"Omnis tuus capsa sunt inesse nos"
More troublesome is if a problem happens later, and although you are not held responsible (having sensibly covered your ass beforehand as above), you're told to "cover it up". If your company has an omsbudsman, a rapid visit is in order; otherwise, lawyer up and find a new job... fast.
//Information does not want to be free; it wants to breed.
I got a call from "citibank" the other day on my office phone. They said they have a pretty good offer to give me and went ahead and gave me a fantastic offer. Then they asked me my full name (ahem!). And then they asked some more details (innocuous ones) until finally they asked my credit card number. That's exactly when I hung up. I know people who would happily give out this information without even realising what's happening!
There are also instances of people being asked to fill up some forms with ask too many personal details, and I have seriously wondered - "what if this falls in the wrong hands".. they could use that info to break open *most* passwords to my mail and other internet accounts.
Infact my Manhattan card account personnel only asks for my name, address and telephone number for verification! Jesus!
So my question is, that if somebody does a security breach via social networking; how is it that "information security" has failed?