Friday, May 12, 2006

Security Absurdity - more comments

Noam Eppel wrote an article called "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." that generated a lot of noise in the security community. I decided to comment it in my blog too.

Yes, it's really too-FUD. But it also has great points about things that are real. Some of them are not always seen in other places, and I'm glad to see that a lot of them are things that I'm always reminding people about. Among them are:

- Antivirus signature based approach failure
- Trojans and backdoors targeted to specific companies and organizations
- Trojans that instead of stealing credentials just perform funds transfers after the user is authenticated (I made a PoC presentation about it last year in CNASI). I was impressed to know that there are real cases now
- 0-days usage more common every day
- Internal attacks issues, one of the biggest motivators of my Master Thesis.

He used these facts to drain conclusions, some right, some wrong. I agree that there is a raising complexity that makes security harder to do, that the cost of security controls is too high and that our "best practices" don't solve the problem. This last one is one if my favorites, I have been saying that for some time.

I have a friend that is a penetration test specialist. His approach gives him almost 100% success rate, even in companies that have advanced security programs. What is happening is that the main sources of information for the CSO, with their indications about most common threats, don't drive to solutions that could stop my friend's approach. The "by the book" CSO will be a easy prey for him. I believe that we need a deeper technical discussion about what we understand as "best practices", making them more effective and clear. When I say technical discussion I mean "bring the good guys!", specially those that are not related to off-the-shelf products vendors. Have you ever noticed that the "next biggest threat" always fit in the features description of those just released blackboxes? Wow, so every new threat can be avoided just by buying them?

Back to the article, I think that its qualities end here. The author does not remember that our goal is not reaching 100% security, but the security level needed to allow the business to keep going. The "it just need one single vulnerability to fail entirely" approach is counting that defense in depth and compartmentalization are not being applied. It's over reacting.

I also think that there too much confusion about "home user" security and corporate security. Really, we need to improve a lot the security for the common home user, it's very hard to a non technical person to keep a computer secure. But we can't forget that we are not dealing with a common home appliance, like a refrigerator or a TV. There is two-way communication, there are new features being deployed on the fly, from different sources. The user has part of the responsibility to decide which features and which sources are safe, we can't deny that. If you want to drive your car in the streets you need to know that your safety depends not only on roads conditions or on your car safety features, but also on decisions and skills from you and other drivers. It's the same thing with the Internet and computers in general.

There are still more deaths in car accidents than in wars!! I don't think we are terribly failing in infosec as we are with traffic safety.

There is another thing. Those numbers, increasing losses, frauds, etc. I can't say for sure as I haven't made a extensive research, but I bet that when paper money or checks were introduced, the frauds grown wild. As technology is gradually dominated the ways of making it secure evolve. However, if the technology is evolving too fast there is not time to security to evolve. It's natural. Security systems created 10 years ago are not very effective today, but if we apply their current versions in the same problem for which they were created to, they would be almost perfect.

Let's try to imagine if the weapons evolution had happen in a much more accelerated form. We should have spears, swords 6 months later, muskets in two years and grenades after 3. If we compare this with the infosec we would be trying to make hand shields stronger and complaining that they were not protecting us from the grenades.

So what Augusto, will you do exactly like him and don't tell us how to solve it?

First, it's necessary to make people in charge of security to know about it. They know about products, not about security. They think that they just need to build the lego with firewall+ids+ips+av blocks and everything is ok. We need education, make them skilled professionals. It can be dome with better training (SANS!), certifications, standards, code of practices, etc.

Second, user awareness. Sorry Ranum, but I think it's more than necessary if our intention is to keep the flexibility and power in their hands. We can replace all our cars by a public transportation system and drastically reduce the accidents. Do anybody think this is possible? :-)

Third, product intelligence. Keep running behind attacks, virus and Trojan signatures?? This is too archaic. The advantage of more frauds is that there will be more investments in security technology, bringing more money and brains to the research field too. With this investment we can reduce the gap between state of art technology and the security tools available.

Fourth, demystify insecurity. This not black or white, all or nothing, but the gray tone that each person or company can live with. When you go out to the streets there is a risk of being robbed, murdered, victim of an accident. These risks are, usually, getting higher every day. Have you give up going out of your house because of that? Maybe you have changed some habits (mitigating risk), but you accept that there is risk to keep doing what you need to do. You go to the bank, there is the risk of someone who saw you withdrawing following you later to rob you. You use the Internet banking, there is the risk of someone taking advantage of this. Nothing changes. People only need to be conscious that the problem exists in any situation, be it "real" or "virtual".

That's it.

No comments:

Post a Comment