They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death.
The security industry is much like that frog; completely and uncontrollably in disarray – yet we tolerate it since we are used to it.
It is time to admit what many security professionals already know: We, as security professionals, are drastically failing ourselves, our community, and the people we are meant to protect.
Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.
The ramifications of our failure are immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime.
A recent Gartner survey indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the internet.
The security community is not just failing in one specific way – it is failing across multiple categories.
It is being out innovated.
It is losing the digital battle over cyberspace.
108 Responses to “Security Absurdity.”
108 Responses to “Security Absurdity.”
Jonathan Yarden Says:
May 10th, 2006 at 8:02 amYou’re completely correct, and at the very core of this problem is Microsoft, who will continue to do nothing until they are hit with a multi-billion dollar class action lawsuit for selling defective products. Same thing occurs for automakers, why not software companies?
May 10th, 2006 at 8:19 amSecurity is an illusion. When an estimated 40% of the breakins are inside jobs done by people with the proper access, there’s really not much hope, but you can keep on dreaming and writing bloated software and overselling it.
May 10th, 2006 at 8:26 amIf you want to scare the Hell out of a pointy-haired boss, make him run to a tropical island retreat and cut off contact with the rest of the world, this would be the url to hand him!
May 10th, 2006 at 8:35 amVery entertaining and enjoyable paper… (failure.php). I think, however, from a universal user (e.g. the home user) perspective, security and security tools need a witch doctor more than a security professional. The ritual and dogma surounding security tools, the advertisements filled with bovine fecal matter, and the layer upon layer of redundant firewalls, scanners, filters, detectors, alert mechanisms…..ad nauseum leave users realing from security tools shock. We as security professionals need to stop trying to come up with tools and techniques that protect the end user without their involvement and spend a little time trying to understand exactly what this user is capable of understanding. Then provide tools that match that capability. I believe most users ignore or improperly configure security mechanisms out of contempt or dismay, not lack of ability. Our failure (as professionals) is in failing to understand the users capability and matching our user interface to that level of understanding.I look forward to your next installment
Lester Bello Says:
May 10th, 2006 at 8:39 amAn interesting article indeed.
I agree with most of the said here. It really is an impressive thing how a Systems Administrator can install a Windows server, enable IIS, plug it to the corporate network and think “good job, buddy” without even thinking on that little thing called security. Far worse is the case of thos admins who plug the server to the Internet instead!
Another amazing thing: the green lights in the security websites. I understand that most of people will not have the time or mental resolution to use a point-and-click exploit to damage someone else, but the mere fact that there is a chance to exploit a vulnerability is serious enough to make us run for a solution.
And I disagree with Jonathan Yarden. It’s not Microsoft’s fault (alone, I mean). Yes, they’re guilty of not testing their products enough, but they’re not the only software maker in the world.
Most of the great incidents cited on the article would never happened with a SERIOUS security professional in the defensive lines. Someone who understands anad accepts that security is a constant worry, and not just a patching-firewall.AV thing. It means constant care, constant monitoring, constant learning.
Security is just an illusion. But diligence + learning = real security.
Wes Kussmaul Says:
May 10th, 2006 at 8:40 amMicrosoft is only one of many contributors to the problem. The fact is that the foundations of both our operating systems and the internet were built from naive assumptions that must be revisited. In doing so, the means of establishing authenticity must be imported from centuries old processes of establihsing authoritative certification. These processes have very little to do with technology. The irony of the term “certification authority” says it all. It refers to a piece of technology, with zero genuine authority, yet we trust it to put the lock icon on our browsers. No wonder we’re hosed. We went on the assumption that authenticity could come from technology. Would you occupy a building whose plans were signed by xyz.com, attested to by Gopapa.com certification authority? Me, I’d rather see a structural engineer’s professional license on the line, with the occupancy permit signed by city hall.
May 10th, 2006 at 8:49 amIt is not the fault of Microsoft, Cisco, or whatver vendor of the day you want to blame. The simple truth is most people fail to adequatey secure thier enviroment because they have no plan to manage it long term, no technical security architccture, and no real concept of what constitutes a security program. This leads to lots of technology with no increase in security.I do agree Information Security on a whole is failing. But the solution does not start with technology!!! It starts with Vision, Strategy, Proccess, Systems, -> solutions. The Technology factor of securing an enviroment against the 80% is less than 30% of a Infosec Teams Job. the remaining 20% is targetes Business Based risk Assesments, Proccess mapping, working with PEOPLE. However, It is rare that you will find an infosec team doing anything other than getting paid alot of money to stare at meaningless IDS alerts as they probably don’t have a Incident Response plan or capability.
May 10th, 2006 at 8:58 amThe problems of modern computer security…Noam Eppel wrote a very interesting essay about the problems in modern computer security. In the article he states his point of view about techniques and fashion spleen in computer security. Or with other question: Why do we have a billion dollar computer security industry, when the computers are still not a inch safer ?
Chris Hudel Says:
May 10th, 2006 at 9:33 amUntil “availability” stops being the paper-resistant rock in the traditional rock/paper/scissors game, there will always be a card that trumps doing the right thing.
May 10th, 2006 at 9:37 amDAN – You are right on the money my friend. This is exactly the problem with infosec today. Even the author of this article doesn’t REALLY get it – the real issue is the lack of a good foundation – sound policies, guidelines, practices and sufficient human resources, training and experience. Sure would love to speak with you more, come on by http://www.hackdot.org and send me an email sometime.
May 10th, 2006 at 9:50 amGreat article! I do however have a hard time accepting total failure as a fellow security proffessional. I think that security
proffessionals know EXACTLY how to secure a system – turn the computer off. Unfortunately, this doesn’t allow for much business to take place. My point is that unfortunately in most cases, our main purpose is not actually to secure all information. Our goal is to ENABLE THE BUSINESS…oh…and to do so as securely as possible within the constraints of money and time. Microsoft makes money because it sells a product that is easily useable by default. They are not in the market to sell the most secure operating system. They are selling businesses the tools to just get the job done as quickly and easily as possible…period. Don’t get me wrong, I have a real problem with the kind of irresponsibility inherent in this way of thinking. I am just saying that the people who sign the checks in most cases just don’t care about fixing root security problems until it is WORTH it to them to change. Welcome to capitalism. The architects have built a boat full of holes from the very first plank. We can plug those holes until we run out of fingers, but the reality is that it will never float until we rebuild it the right way. I digress….
May 10th, 2006 at 10:04 amGreat read, i have a rather short attention span and it didn’t lose my interest despite the length. i loved it.One thing though, you describe WEP as “wireless equivalent privacy”, isn’t it “wired equivalent privacy”, meaning it’s supposed to be as private as a non-wireless network?And with regards the bank thing, i really don’t understand why we have the form target on an https server, but not the form itself. by the time the average user gets to find out if the site is legitimate or not, they’ve already typed their details in.but yeah, excellent article.[Noam’s comments: Thanks for the correction fwaggle!]
White Badger Says:
May 10th, 2006 at 10:51 amWe have MANY fundamental issues to deal with here. The OSs are deeply flawed. The apps don’t respect what security the OS provides, and open it up with its own vulnerabilities. The software that is supposed to protect the other software closes most holes, but opens others. I eagerly await the second part of this article. I think the ultimate solution is to start from the ground up. We need programming languages that are designed not to allow the majority of mistakes that lead to insecurities. We need compilers that check for potential issues. We need OSs that are designed for BOTH security and usability, which prevent apps from doing stupid things. These OSs also need to be less monolithic, and more compartmentalized, to keep breaches that do happen from being able to affect the remainder of the system. We need apps that correctly use the OS and respect its security structure. Finally, we need to educate users, because NO security system in the world can protect a moron from him/herself.Also… here’s my question to this incredible mess we’re in: Why is the solution to broken software always MORE software and usually from someone else?
May 10th, 2006 at 10:58 amPeople are the reason we have a problem. The people building the technology have neither the ability nor the desire to build it securely. Fixing the technology only makes the Internet like power tools, leaving the onus on the people using the tools to be forever vigilant — something that doesn’t happen for power tools and certainly won’t happen for “friendly” Internet applications. And of course there are the people that attack, cashing in on a massive risk-reward imbalance.Scale is the reason the problem is so bad. Scale is an inherent feature of the Internet: millions of (flawed) applications, millions of potential victims, millions of potential attackers — all of which can interact with full capability from distant locations. The effect is that a security flaw in an application is not at all like a safety flaw in a power tool; it’s likely that only one hand is lost at a time in that faulty table saw, but a typical security flaw allows the attacker to exploit millions of people at nearly the same cost as exploiting just one.
May 10th, 2006 at 11:17 amGreat article! I’m looking forward to part 2. I hope that one issue you address in the next part is the fact that security is so often undermined by market economics.On the one hand, you’ve got security always taking a back-seat to performance and other issues, where the people with the technical knowledge are restricted from implementing what they know are ‘best practices’, because the client will only pay for what they can see. So, for instance, the client will pay for a web application to be built in a fast language that does no type checking or security restriction (e.g. php, perl) rather than a strict language that would take longer to code in (e.g. java).On the other hand, there is the ‘tragedy of the commons’ effect, where the problems are significantly large, but the cost is distributed so widely that it is not in the interests of any single actor to take action to address the problem.
May 10th, 2006 at 11:19 am“I have to say that major changes scare me too. But those changes definitely have to be made. One issue that you don’t mention is the possibility that many of the organizations that provide security related products DON’T WANT it to change, and they are using their influence in some way to slow down major change. If there are major changes to the Internet, and we have much higher security, then what happens to their revenue stream? Many of those people are smart enough to change with it, but I would say that they see an ever-growing market right now. Maybe the conspiracy theorist is coming out in me, but I think it deserves to be looked at.”Maybe I am just feeling paranoid right now.
May 10th, 2006 at 11:49 amThere is a simple cause behind the failure, and the cause is that same enabler allowing threats and compromise of systems to proliferate: It’s the money.Security as a business innovates when there is a perception that profit can be attained. The opposite number, organized crime (call it what it is !!!), innovates TO MAKE MONEY.The business of security, therefore, by its very nature, is REACTIVE. It will always, therefore, exist in a state of failure.How do we adjust?In other lines of business or acts of human endeavour, the needs of people or business or nations were the needs that spurred innovation ahead of the curve – the curve being defined as the goal of a society and the lack of enabling solutions to reach that goal. If a society or nation or business finds that their endeavours are failing due to a lack of IT security, innovation will outstrip the ‘dangerous neighborhood’ of the internet.
May 10th, 2006 at 11:49 amWhen we needed to get goods to the West Coast of the US, the railroads expanded. When we needed to expand our markets to the mideast using the expansion of democracy to do so, we built the Great White Fleet. When Europe ran out of places to sell their trinkets, they went to China and sailed the Atlantic ocean. The innovations of tanks, nuclear weapons, jet aircraft and other tools of ’security’ were driven by the mass disruptions of economic freedoms.Economy drives innovation. Nothing else.
Ben Strother Says:
May 10th, 2006 at 12:01 pmNoam,Sadly nothing you described was new to me. We have had problems with information security as long as we have had information. Even CISOs of fortune-500 companies are struggling to get the money, people, processes and technology they need to protect their company’s information assets.It is true that the skill required to perform attacks has decreased, and the number of attacks have increased, but there is research being done to respond to this challenge. It will not come from the vendors that are selling products today, but the researchers that are building the protocols and services of tomorrow. When attacks can be filtered off the network, services can degrade gracefully then fail-over, and we have moved from simple defense to prevention we will see real improvements in information security.Even then, you need to total approach, not just a technology magic bullet, the people, processes and funding all need to be there for security to be possible.
Connie J. Sadler Says:
May 10th, 2006 at 12:20 pmI think there is a *lot* more to this, but don’t have the time to fully respond. Good things to think about – yes! But InfoSec has never had the authority to do what’s best. Ideas are floated and quickly rejected, and the “balance” we all try to provide is as much as many of us can “push” out against a very resistant culture.Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Guus de Leeuw Says:
May 10th, 2006 at 1:14 pmI think that the fundamental problem is the thought that computers/software are simple and for everybody. The reality is that is all very complex, especially when you connect it all. Most people know nothing about it, they just want to use it, click on a button and it should run. Even most(/all) specialists know only part of the complex picture. Meanwhile businesses develop hardware/software that must be �?´affordable�?´,etc. so developing and especially testing is subject to business demands, project cuts, decisions by unable managers, etc. Testing and security are mostly costs for businesses and allways underestimated.So, with an underestimated foundation (simple and for everybody) and building blocks with holes, I think most security experts do a very good job juggling their parts.The complexity will only get worse, with more and more other equipment connecting. Users will always want easy to use systems, but fortunately are also starting to get educated slowly and little by little. With all the attention testing and security get more and more attention, but never enough.Where will this all lead to????? I don�?´t know, that�?´s another reason why it is fun to be into IT.
May 10th, 2006 at 1:19 pmWonderful article. It occurs to me while reading about Intel’s and AMD’s plans to subvert VM rootkits with hardware modifications and AMD’s no-execute page protections that we may only stand at the beginning of some rethinking of today’s hardware/software boundaries, architected as they were in an earlier time.
May 10th, 2006 at 1:52 pmI think it’s interesting reading all these comments that talk about blaming someone or something for the mess we’ve gotten outselves into. I see it differently. As the internet grew and evolved, changes were made to the population of users, and to the vision of the ‘net from a place where professionals and scientists shared information, to a place where people can now share unwholesome material.It’s obvious that the net isn’t working anymore. A concept of being InDoors, where there are people whose identities have been authenticated by a professional (not corporate or governmental) organization, where biometrics are used on mobile devices to authenticate users, where the environment is secure within an organization, and where information is only shared with other authenticated organizations is the way to go. Let all the reprobates remain outdoors in the wild west of the internet, but provide privacy, authentication and security to those that choose to go InDoors.
May 10th, 2006 at 2:03 pmGood read, thank you.A couple of points that I feel need to be mentioned.Learning Curve – There is a ‘ell of a lot of software out there, majority with different configurations, poor default settings, and inadequate documentation. In order to properly administer a typical departmental server you need to have a solid understanding of all of the services/programs that it uses. Just because you can pass a multiple choice test doesn’t mean you’re qualified.Time – There is never enough of it. Workload increases and you’re expected to produce quantifiable results. As a result, it gets done just not done right.Inertia – “We’ve always done it this way, there hasn’t been a problem, so we don’t need to change.” Until something explodes, then run around like a chicken with it’s head cut off, blame someone else for it, and implement poorly thought out policies that actually make things worse.Money – We want a secure server farm by next Tuesday, here’s $100. (Although this is getting better)Authority – Shouldn’t have to spend a week convincing 10 managers and department heads that a critical patch/fix really needs to be done.Security isn’t a destination, its a continually evolving process.Thanks again, and I’m looking forward to part II.
May 10th, 2006 at 2:12 pmInfosec is best realized when you carry a low profile. The individuals who get their systems hacked into (residential users) are those who are openeing up unknown attachments, going to places on the web they probably shouldn’t be going to, and generally being lackadaisical about what they are doing over the web. Users can be their own worst enemy.Businesses get attacked on an hourly basis because there is obviously money in it. A market for criminal activity. As many people have said already the Internet was never conceived to be inherently secure. Neither has software up until now. We security professionals are the stop-gap measure. Unless we can completely strip out the Internet and rebuild it from scratch we will always have these problems. I don’t know if we will EVER move to IPv6 in regards to the internet.Let’s just be happy that security professionals have an industry to call their own. Let’s face it a lot of the problems that curse humanity were created simply to provide business opportunities… or should I say evolved?
May 10th, 2006 at 2:44 pmI wrote this comment on reddit.com, but I felt it was appropriate to repost here:Almost all of the failures he mentions have nothing to do with security profesionals. They have to do with users being uneducated. For example, in the “failures are everywhere” section:SPYWARE — Even if the user had to specifically allow every piece of softare to be installed (like on OSX), they will still get spyware, because they will allow ANY software to install on their system without reading what it is.PHISHING — There is no solution to this problem other than user education. Users will enter their password into a phishing site no matter what measures the legitamite site takes to prevent it, even if they have one of the many toolbars that pops up and warns them that it is a phishing site. I’ve seen usability studies — they window pops up, they hit “ok” without reading it, and then enter their password anyway.TROJANS & VIRUSES & WORMS — Admitedly this problem stems from poor OS security, but still, the typical delivery mechnisim of one of these things requires user interacation, and again, no matter what steps are taken, an uneducated user will double-click the executable, or click the “awsome link” they got in IM, or whatever.SPAM — The only reason spam works is because users actually respond to this stuff and buy things. There are ways to compbat spam, but even the best baysian filters can’t filter messages out if you train your filter that you want to know more about penis enlargement.BOTNETS — This is the same as Trojans. The user will install anything asked no matter how obvious.DISTRIBUTED DENIAL OF SERVICE ATTACKS — See BOTNETS.The rest of the things mentioned do have to do with security personel failures, such as Patch Management, Web App Vulns, etc, but in a lot of cases, this has more to do with company politics than anything else. In pretty much every large organization, even the financial ones, security people’s recomendations are ignored on a daliy basis in the name of “business needs” — ie. the business is willing to take the risk because it is not profitable to fix the problem. One day, perhaps the CxO’s will learn…
May 10th, 2006 at 3:06 pmThere are a lot of practical day-to-day solutions to meeting this challenge, but I’d like to go a step deeper and talk about what I see as the roots of the problem.If a criminal wants to knock you down and steal your money, they will find a way. The criminal element of our world is just recently finding it’s larger-scale footing in the world of computer-land. One response to crime in the physical world is laws and law enforcement, including a prison system that doesn’t even pretend to offer rehabilitation. Computer-land invokes new potentials for the same human sickness to manifest and it’s no suprise. We won’t easily solve the problems of the world and resolve the damages of short-sighted socio-economic systems that define life for many. But we still have to try to see the bigger picture and get some context from it, in my opinion.The security companies indeed make plenty of money off of the problem, however the IT security industry is merely a response to a stimulus. Some have speculated that this same industry is not going to destroy itself by truly solving the problem, but can you imagine what it would be like if the tools and options provided by the industry were unavailable? I’d rather have some kung-fu skills while walking down the dark street than not.I believe that we as a society can make progress, but we won’t fully solve this problem. It’s a reflection of human nature. Significant progress can only happen through a concerted effort that crosses multiple areas – policy, process, people, legal, educational, law enforcement, financial, technical, etc.People need to recognize the value and risk potential in their data and computing resources and act accordingly to reduce those risks while still trying to stay afloat within the general constraints that have been mentioned in the other commentary on this page. Not the easiest job in the world. We’ve got our work cut out for us.I am primarily a technologist by training and job history, and just one piece in the puzzle to helping provide better information security at my campus. Since security is primarily a “people problem” we’ve got to consider the roots of the problems, instead of just applying another layer of band-aids. Band-aids serve a valid purpose but if each patch represented a band-aid, every computer in the world would be a large stack of band-aids layered over one another in a messy ball. Perhaps there is a better way, but I’m not holding my breath just yet.
May 10th, 2006 at 3:12 pmThough I agree with many points in your article, I have to point out that one statistic you use is a bit misleading. Yes, losses due to cyber-crime are the highest ever, but at the same time internet usage is also at the highest ever. If you wanted this statisic to be meaningful you would need to show that losses due to cybercrime are growing faster than worldwide internet adoption.
Ben Ricker Says:
May 10th, 2006 at 4:18 pmThere seems to be a bit of a non-sequitor going on here: you go through a laundry list of new technologies to protect data and implement security, then say “But look at all the brak-ins!” You seem to be arguing that all these new technologies are not protecting us.Logically, however, the question is: are the companies USING these technologies and out of those, how many of them are still getting popped? You are mixing up the classes of everyone and everyone WHO FOLLOWS GOOD SECURITY PRACTICES. In the laundry lists of incidents, I know that a couple of them were within areas that had poor security practices. They were NOT using all these new technologies in the right manner.The honeypot point fails to convince for the same reason: out-of-the-box configs on servers are BAD security practices: the used the default security settings.I am not saying that your main point, that info security has failed us, is incorrect. It is just that you have not SHOWN that this is the case.I also think Connie Sadler’s point is right on: security professionals are not gods dictating from on high. Mostly, we are fighting tooth and nail for GOOD security practices across the enterprise (and we tend to lose the battles tragically often). And note that ONE failure can be the difference between GOOD security and the next screaming headline.
May 10th, 2006 at 4:40 pmSecurity is a business problem and not a technical problem. If businesses would approach security like any other risk to the business, we would not be where we are today. Most businesses deal with security as a technical problem and technology drives the business as opposed to the other way around. Unless we fix these basic things, security risks will never be managed to an acceptable level in smart way that supports the overall business need.
Attacktree Reasonable Information Security » Archive » Says:
May 10th, 2006 at 4:51 pm“I think we need people to keep talking like this: They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray – yet we tolerated it since we are use to it.”
Shawn Wilson Says:
May 10th, 2006 at 5:07 pmI applaud your efforts in writing this article and I too am of the same beliefs. I have started a couple ’security awareness workshops’ where I live and I would like your permission to include some of the ideas you’ve expressed along with some of the statistics you’ve presented.I would credit you, of course, in any handouts and visual aids I use, but since I do charge for these workshops I wanted to get your permission first. I would of course point people to your URL as well as some of the URLs mentioned in the article.I cater to both home users and businesses and have workshops geared toward both.Thank you for both your intelligence and contributions.[Noam’s comments: This article was written to raise awareness and, more importantly, generate discussion. Of course, you have my permission to use the content.]
May 10th, 2006 at 5:47 pmMany of the problems in the article can be avoided easily and others can’t (spam) without changing a lot of the world.Here are some links on our current technical (and economic) problems and ways forward (some of these are useable now).http://www.ranum.com/security/computer_security/editorials/dumb/
http://www.eros-os.com/index.htmlProtecting the mass of happily ignorant Internet users is going to remain beyond the state of the art for many years. And requiring ID isn’t going to help.
Jason Muskat Says:
May 10th, 2006 at 6:11 pmMost of the time, security, any security, is about bringing that feel good feeling to the customer; having somebody to blame when something goes bad is a plus as well.Real security is very rare as it costs a lot. Most people think they are secure because of a policy, or something just as silly like a sign on the wall.I think it is imperative that government set and regulate minimal real information security standards especially in sectors that provide essential services such as power, telecomm, and banking, and such. The regulations will allow the security people to enforce security despite a line of business not wanting to ‘implement” a secure solution. People are still building new applications and workflows that use telnet and refuse to use SSH or any secure other secure methods such as telnet over SSL.
May 10th, 2006 at 6:37 pmGreat article! It conveys what many have known in the information security community for a long time, in a way that may be easier for the general population (and policy makers) to understand. The frog analogy is great.I suggest that any solution, as most these days, will deal with cost, lawyers, and insurance companies, and perhaps legislation. The bodies of individuals and information security programs litter the path behind us. There have been many that have clamored, screamed and championed information security since the 1960s. A valued acquaintance and inspiration, Peter G. Neumann, often told me at dinner or lunch about told me of the security issues with Multics, so this is nothing new. Demanding security for securityâ�?��?�s sake has not been successful as we are often a reactive society, not one that prepares for the future. Weâ�?��?�re also a society that values convenience and features over security. Itâ�?��?�s that security is not often viewed as a valuable feature, and industry is in business for providing value because thatâ�?��?�s how they make money.Iâ�?��?�d argue that we have come a long way. Security awareness has improved due to those bodies in the path behind us. The problem is that the rate of adoption of technology features and conveniences is far outpacing our value of security and our ability to provide that security. Another problem is that weâ�?��?�re not able to maintain security once it is installed. Things change too fast and the organizational and operational realities are not considered that will allow security to endure more than months to moments.Because weâ�?��?�re reactive, something large will have to happen that is widely and significantly inconvenient or alarming. Weâ�?��?�ve not yet seen that â�?��?cyber Pearl Harbor.â�?�I hope that your follow-on article addresses not only what we SHOULD do (because there are a lot of ideas already out there on that topic), but practical approaches that we must take to make this happen in a practical world. You might address money, lawyers insurance companies, and legislation.
Yaa 101 Says:
May 10th, 2006 at 8:43 pmYou are failing because it is not a technical problem but a social or better said, an a-social engineering problem. It means that life has catched up upon internet and that crooks and swindlers have found their place inside the environment.To be honest, most of them would be able to swindle your money if they would be standing next to you at some party. Don’t kid yourself into thinking that you are able to see through those things, only very schrewd thinking people are capable to a thing like that taking place before it’s too late. The problem is that most swindlers do not look like your typical archetype of crook, if one exsists at all. Most swindlers are very charming sociable easy going people (except for your average 319′er) and mostly are decloaked too late.What makes you think that rules of the game of life are different online than offline? To have scams succeed you need various ingredients which are available in abundance. You need greed, groupthink, social moronity and fraudulent minds at the victim side and charm, persuation, knowledge and fraudulent minds at the offender side.Sorry to say but the whole technical aspect here is irrelevant, the level of corruption in most socities right now in the 21st century is too high to be able to stop all this crime from happening. There are too many holes in society itself and these are not solvable with tech.The problem of our societies are the politicians in the 20th century that made a spagetty mess of of our books of law to accomodate their petty political purposes. You can see by the amount of lawyers in your country how your previous governments and chambers thought of you as citizens. More lawyers mean more complex laws were fabricated and that alone is a contempt of public.
This makes most laws unenforcable in most circomstances but lethal when used with precision in abnormal circomstances.
Laws are mostly made complex for few reasons like for the executive branch to be able to hide behind obscure articles of law and also to criminate all comon people mostly without them knowing.To get back to a technical solution of our problem of insecure networks, part of the problem is that some think they can promise a secure network. Probably the same types that believe in a makable society like socialists, fascists and stalinists, which makes up most big business management and corrupt politicians in power for the last century and at this moment. They come up with perverse things like DMCA DRM Trusted computing or what ever flavour of du jour.The solution is as old as the problem crime just takes a part of economy, period. No ifs and no buts, this has been reality and always will be, even under the most oppressing rule you can find.So accept that networks are unsafe, networking between people on parties or other arrangements are as unsafe. Make sure that whatever is stolen is small like in micro payments, make sure most people don’t need all of their money online.Oh yes, a last word of note: KILL all the administrators of critical networks that coupled their networks to the internet, this is shortsighted bean counting that can cost all of our society their lives.Thanks for listning,
Rick Wash Says:
May 10th, 2006 at 8:47 pmYou assume that zero security problems is the end goal. This assumption is behind the fact that you are using a list of current security problems as evidence that we are failing.Zero security problems IS possible. Though I am pretty sure that nuclear holocost is too high of a price to pay for it. What we need is to find the right balance between how difficult the security problems are to solve (the cost) and the benefits of actually solving those problems. Look at the credit card industry. Zero fraud isn’t their goal — they accept a certain amount of fraud as a cost of doing business. But they have managed to keep the fraud at acceptably low levels that its not causing a serious problem to anyone.That said, I think current information security practices are failing. I think that we should be working harder on security to reduce the problems, since the costs we pay in securiy are still far less than the problems we are encountering. The real problems I see in security are two:1. People are myopic and nearsighted. When asked whether they should take the hard (security) road now, or take the easy road and risk huge problems in the future, they tend to take the easy road and the risk, and keep getting burnt by it. We need to learn to think more long-term.2. People still see security as something that can be separated from the rest of systems. That is the essence of ’security professionals’ and ’security software’. First we set up everything like we want it to work. Then we put some tools and people in place that try to keep it running that way. That’s not the way security works. Just like a firewall won’t really prevent people from exploiting the latest Microsoft vulnerability, security professionals can’t make insecure setups suddenly secure.
Steve Summit Says:
May 10th, 2006 at 9:02 pmIf you’re going to be a heretic and point out the truth about the Emperor’s new clothes :-), you might as well go whole-hog and pin the blame for all these problems where 90% of it belongs: Microsoft.A lot of people will claim that’s not fair, that it’s too facile, that it’s not Microsoft’s fault (it’s the *bad guys’* fault!), that security is a *really hard* problem that Microsoft couldn’t be expected to get right, that Microsoft’s only problem is its popularity, that if the other, allegedly more secure platforms (Linux, Mac OS X) were as popular as Windows is, the bad guys would be targeting them and showing up just as many problems with them, too.But as anyone who truly understands security will tell you, all those claims are bogus.It *is* possible to do a better job, a much better job, on computer security. We’ve known how to for 20 or 30 years. We’ve known, for example, how to compartmentalize code, so that only critical OS code runs with full permissions, and that the majority of less-critical code runs in a restricted environment where it can’t do as much damage.But Microsoft never really cared about any of that, and they very successfully implicitly trained a whole and much larger generation of computer users that security and other problems are mostly inevitable and have to be lived with, like bad weather or something.As a wise man once said, “Other computer companies have spent years working on fault-tolerant computers. Microsoft has spent its time more fruitfully, working on fault-tolerant *users*”Now that people are finally starting to demand some real security, it is in many ways too late: too many of the fundamental design decisions which underlie the insecurity are now utterly entrenched, and (apparently) can’t realistically be changed.The most obvious example of the utter culpability of Microsoft software when it comes to security problems is: e-mail viruses. Where is it written that an executable attachment should be executed when you “open” it? Why is it the *user’s* responsibility to decide which attachments are safe (plain data) and which are dangerous (executable code)? The computer knows this, it can’t get confused by tricks to hide the filename, so why doesn’t it just refuse to execute the executable attachments? But somehow this straightforward solution is never adopted, evidently because there are one or two people who need to be able to click and run programs that they receive as email attachments but which aren’t viruses. Instead we run around deploying reactive “antivirus” tools that, as you’ve correctly pointed out, can never be perfectly reliable.
Lance Haverkamp Says:
May 10th, 2006 at 10:31 pmAs I see it, the problem is simple–the Internet, or Arpanet in the old days, was designed in a time & place when everyone trusted each other. The US government, US military, US research labs, US universities & US military contractors were all that used Arpanet and the early Internet. Hence the .gov .mil .org .edu & .com top level domains. Security was not an issue, as no one else was on the system! Since security needs were never designed into the system, they’ve all been patches applied later.As someone recently pointed-out; “The US government paid millions to develop the Internet, then decided out of the goodness of their hearts to allow the whole world to use it for free”…R i g h t, sure they did…just after they realized it was the easiest way to spy on the whole world. Some of the big data thefts (or misplacements) have been off-line, huge paper piles lost in the mail or by couriers like UPS, DHL or FedEx. Most people handling this type of data now realize that secured transmission makes more sense than physical shipping. But still don’t store it encrypted by default.Because people tend to be lazy they think encryption is hard, and to be fair, it used to be–just ask those of us who tried PGP 1 or 2. The quickest solutions would seem to be:1) Move to an all-encrypted Internet. No more http, only https. Don’t just encrypt the check-out page at amazon or ebay, but SSL encrypt EVERY page. All email must be digitally signed & encrypted–if it’s not, bounce it back to the sender (virtually no spam or hishing–instantly!).2) Windows handles Admin/User very poorly! Users can’t install software or do much of anything, so almost everyone on the system is an “Administrator”; which allows all the evil software a way to install. Linux/BSD type systems handle this much better: Everyone logs in as a user, if Administrator (Root) privileges are need, the computer simply asks the user for the Root (Administrator’s) password. Evil software simply can’t sneak-in undetected unless you’re running as Administrator.– Thanks! Lance W. Haverkamp Lance@TheHaverkamps.net Contact & encryption info: http://thehaverkamps.net/?Lance:Contact_Me
Jimi Loo Says:
May 10th, 2006 at 10:57 pmThis is probably the single most compelling article I have read on the topic/issue. Well done.I personally like to think of the Internet as a parallel universe, a cyber-world as opposed to the real-world. In cyber-world people do thing much the same as in the real-world, such as chat, work or go shopping. And as in the real-world, there are dangers. In the real-world we spend years as children learning about this world and all its dangers before we can safely go out on our own. This is not the case in cyber-world. People wonder into cyber-world as cyber-toddlers or even cyber-infants. How can these people are expected to look after themselves in this strange new world? I know Iâ�?��?�m reiterating some other peopleâ�?��?�s comments, but I believe education must be the first step to computer security. Cyber-world is too complex and dangerous to jump into without understanding the dangers.Cyber-world is not as safe as the real-world. Itâ�?��?�s much the wild west with outlaws running rampant. But the wild west was tamed. Maybe if we look out how it was tamed, weâ�?��?�ll get an idea of how to tame our cyber-wild west. I submit the idea that greater law enforce is needed. Software can only do so much. No matter how secure real or cyber property is, there is always a way to break in. We have police in the real-world, why shouldnâ�?��?�t we have police in the cyber-world? Criminals need to be apprehended and punished and we need real-people (not just software) to do this.I realise I havenâ�?��?�t addressed the problem who will fund this education and police force, but I hope it provides a new way of looking at the problem.
May 11th, 2006 at 12:22 amLike they say, if the engineering / building / public safety industies were like the software industries, it would be a common orrurance for buildings to collapse, bridges to fall, and backup plans to fail.This is just a perfect example of how the desire to crank out new software and features leads to a failure to look at the fundamnetal security ‘infrastructure’ upon which the feature is built. Subsequently, we get patches upon patches, and even patches to cover up previously inaediquate patches for nearly the same issue.Security is messed up these days.
May 11th, 2006 at 1:02 amMost of the facts in the article are absolutely true. There is really a failure somewhere. Let us all face it. Information Security is as strong as the weakest link. Every information security professional presents to management a listing of risks affecting the organization. These risks are then assigned costs: Cost of Risk and Cost to Mitigate Risk. Each manager is then faced with the decision to either mitigate or ignore the risk. The problem with information security is that there are certain threats that are just too expensive to mitigate. Threats that involve Acts of God, lazy people, other peopleâ�?��?�s software, network and infrastructure are particularly hard to solve. In then end, people just ignore these risks. Then a weakest link is made available for exploit. Then security fails.Another problem with securityâ�?��?�s weakest link is about people, entities or organizations not willing to invest in information security. These people, entities and organization then become vulnerable and later become vectors for attack. These may not even belong to ones organization or is beyond administrative reach. If a vendor refuses to patch a security exploit in their softwareâ�?�¦ If thousands of home computers are transformed into mindless spambotsâ�?�¦ How is one organizationâ�?��?�s information security people supposed to solve all the worldâ�?��?�s information security problems?I disagree with the article in saying that this failure is due to lack of innovation. There are always new and novel ways of dealing with information security problems. Most of these are even solvable with current technology. Instead, I believe the failure is because of our inability to cost-effectively apply information security consistently across the entire infrastructure and dependent networks. But, is this reasonable to expect in this age of well interconnected networks (such as the Internet)? Can we secure every part of it? The only secure system is one that is powered down, disassembled, boxed, vaulted, sealed and blasted into another universe. Even then, what if aliens exist and send the system back â�?�¦
May 11th, 2006 at 1:03 amIt would be good if schools could integrate security courses and topics into the curriculum of computer science, information systems and management -related courses to raise the awareness regarding information security. too many students are coming out of college knowing a lot on what and how to setup businesses and information systems, but little on why and how to protect them.Yes, they might know that they have to protect their intellectual property, but framing â�?��?virtual assetsâ�?� with a â�?��?brick-and-mortarâ�?� business perspective usually limits the security measures down to patents and security guards. crude and effective, but insufficient. information security as a part of TCO rarely comes to mind. in addition to that, most startups skip information security to cut down on costs. as they grow bigger, these companies then play an expensive game of information security catch up.
May 11th, 2006 at 1:08 amMost companies do not see the information security risks until they are faced by it. Most people will think that TCO is the problem of the big corporation. here are some classic TCO-bites-my-back problems for SMEs:No anti-virus, anti-malware, or firewall software. This normally translates into loss productivity when workstations are taken out by these malware. Spam is also another items that can be added here as people spend more and more time filtering spam than reading valid email.No investment for PC upgrades. This also translates into loss productivity. As workstations fail, companies spend more and more time fixing them. This is why desktop support is rarely a problem when companies start-out. But, it becomes a major problem when companies grow.No Perimeter Protection. It is typically difficult to invest in workstations protection for all the workstations. One of the most basic things a company can do is enable firewalling in their DSL routers. No Use Education on Information Security. This is the single most important aspect of information security. As a greater number of exploits are targeted to people and not machines.There are many more cases of SME-technology-hits-me-in-the-head problems. It would definitely help if students were aware of these even before they hit the streets and the halls of Makati.
May 11th, 2006 at 3:46 amThe first part of your article is already part of the solution – it’s an excellent summary of current information security risks. The sheer breadth of issues we face is an eye-opener, and that to me is the first step towards finding a workable solution. People who don’t appreciate the risks are unlikely to even address them, let alone solve them.There are three obvious ways to open their eyes:
(1) Scare them witless with articles like yours. Surveys such as the DTI’s latest UK survey provide statistics to back up the conjecture and assessment. The news headlines are full of this stuff. (2) Educate them, raise their awareness and motivate them. By “them”, I really mean “us” (I learn new stuff every day!). I don’t just mean awareness programs that address the clueless general public: it’s just as important to educate IT professionals about information security, and “management” as a third category with their own specific information needs and hot buttons (did anyone mention SOX yet? Or HIPAA? Or data protection?). (3) Let them suffer. Once bitten twice shy. Speaking personally, I truly learned the value of backups when I lost some irreplaceable photographic images. Now I’m a backup freak with multiple on- and off-site backups, but I sleep better. Metrics and instrumentation of security are the key to helping people appreciate the extent and cost of security incidents that happen all the time. “There are *how many* bits of spyware on my machione?!!”.G.
May 11th, 2006 at 7:31 amThe problem is you focused your examples too much on Windows. Linux and MAC are also vulnerable. Most of the backend systems that are manually hacked are misconfigured or unpatched Linux systems. Once Linux becomes the desktop for the non-techie… It will be like a MAC or Windows system in that it will have lots of holes punched in it.Software is inherently insecure. We just have to accept that fact.
Tim Bilbro Says:
May 11th, 2006 at 8:07 amEntertaining article. Although I think you are just a little over the top declaring an entire profession a failure. Keep in mind all of the problems you are outlining can be prevented, and are being prevented on highly secure networks. Unfortunately, in order to secure a network, you must remove capabilities and access. The problem is that industry has seemingly made a decision to ignore security concerns in the name of progress and easy access. Sometimes, unfortunately, in order to secure something, you have to make it less accessable. But, there is so much push back from non-security types on that. It is not the security pro who is driving that decision. Until it really hurts an industry financially to move forward with lax security, InfoSec breaches are a cost of doing business.Also keep in mind that cybercrime still represents a small portion of crime as a whole. I think your measuring stick is too high. Just because there are security breaches does not mean that the industry is failing. You would not say that the law enforcement profession is failing because there are crimes being committed. To carry the analogy a bit further, if your neighborhood were full of crime, you would do everything you could to move out. Don’t let your data live in a bad neighborhood.
IA Inside the Beltway Says:
May 11th, 2006 at 8:19 amSecurity Absurdity…Here’s a link to an entry at the Security Absurdity blog by Noam Eppel. Warning to IA Professionals: Reading this article may make you reconsider your career choice. It’s pretty thick with doom and gloom…It is time to admit what…
Kenneth Searl Says:
May 11th, 2006 at 8:21 amNOAMâ�?��?�s article is right on. I believe a significant part of the issue with regard to security is the lack of acceptance of innovative products by the security professionals. Best practices have not worked as Noam is suggesting. In 2002 I was new to the security space and looked at security as an outsider. As Noam states on insider threats, traditional perimeter solutions just donâ�?��?�t work. There are better ways of looking at security and Iâ�?��?�m sure there are many creative innovations in other areas, but until the security professional can take the chance on a solution beyond â�?��?Best Practicesâ�?� The bad guys will continue to win. Walls just donâ�?��?�t work!
May 11th, 2006 at 8:40 amVery well said. Your research is great too. I love that image with all the toolbars!-Richard
May 11th, 2006 at 8:57 amThe underlying issue is human psychology; people are basically trusting. It doesn’t really matter how much we overhaul the technology. Much of information security doesn’t involve a computer. Humans write the code, answer the phone, open the front door and sign on the dotted line. Paranoia, even when justified, takes too much effort to sustain. It is stressful to be paranoid.As long as people think the world is a safe place they will be vulnerable – and they will convey that vulnerability to every aspect of their lives. Humans don’t usually wise up until after they have been victimized. To fix the problem, we have to teach people to override their basic human tendancy to blindly trust others. But, the social ramifications could get interesting…
GL Ness Says:
May 11th, 2006 at 1:29 pmI will reference this blog in my Always On column…great work!
Security Professional Says:
May 11th, 2006 at 1:56 pmGreat article. However, I think you need to be careful on whom you place the blame. The article at first glance faults on the thousands of security professionals whose job it is to stem the tide of vulnerabilities and threats. However, these professionals are not the ones writing the swiss cheese software.The fact of the matter is that if applications and operating systems were designed securely form the start, then the majority of these issues wouldn’t exist.
Brian Smithson Says:
May 11th, 2006 at 2:09 pmHi Noam,There is much in your paper that I can agree with. The state of infosec is pretty awful. But at the same time, it’s working pretty well. Honestly, if you look at the complexity of computers and the Internet and the naivete of the average user, and also consider that the Internet is performing functions that it was never intended to do, I’m amazed that it all works even half as well as it does. But I’m also left wondering how those average users manage even to keep their computers running, much less be expected to keep them secure.So I agree that there is much to do, and I can even agree that there is much to do in every category of infosec. However:- I wouldn’t characterize it as a total failure. Billions of transactions are successfully executed every day on the Internet, just as they are over the phone, by mail, and in person. Millions of people use the Internet every day and protect themselves from attacks, just as they do when driving their cars or walking around in the physical world. On the Internet, as everywhere else, there is a certain amount of risk associated with doing anything. The question one should ask is, is the risk associated with doing things on the Internet significantly greater than doing things elsewhere?- I wouldn’t place the blame on complacency of infosec professionals, or at least not the ones I know. The people I work with try to fix every security issue they can, too often fighting against the wishes of management, data owners, and end users. I might fault some infosec professionals for lacking sensitivity about how dealing with security (or lack thereof) effects people who aren’t either computer professionals or security professionals. I might fault some infosec professionals with treating all security issues equally, without risk analysis. But complacency? I’m sure there are examples, but I wouldn’t say that complacency is the primary cause of our security problems.- I wouldn’t characterize infosec problems as being unique to the Internet. People have stolen PINs by putting false front panels on ATM machines, phishing can take place over the telephone, extortion via DOS attack in the physical world is called a “protection racket”, identity theft can be accomplished by rummaging through the victim’s trashcan, every day my postal mailbox contains about 90% spam and includes letters that appear to be important notices from the government or about my mortgage, non-computer passwords such as ATM card PINs or “mother’s maiden name” authentication has always been easy to guess, physical locks are easy to pick, telephones are easy to tap, alarm systems are easy to defeat, and people are generally good-natured but gullible targets of all sorts of scams outside of the Internet. Granted, the Internet has made some crimes much easier to accomplish — phishing, for example — but it can also make such crimes easier to solve. If someone talks me out of my PIN and then empties my bank account at the ATM, law enforcement will have much less to go on than if my PIN was obtained through phishing and my bank account was emptied electronically. I think we can learn a lot from our counterparts in non-infosec security, and vice versa.My main problem with your paper is that absent of part 2, it reeks of the kind of scare-mongering whitepaper that does little more than drum up more infosec consulting business and fails to resolve any of the broader issues that it raises. After 25+ years in the industry, I didn’t need a wake-up call; I’ve been wide awake since roughly 1981. If your intention was to communicate a call-to-arms and establish a forum for discussing and finding solutions as a group which you would then publish, then I applaud your effort. But I think that you should have stated that intention. As written, your paper makes a well-worn case for how bad things are, and promises solutions in Part 2. I have to question whether you, or any individual, can deliver on such a promise.
May 11th, 2006 at 2:51 pmFrom http://www.securecomputing.ca/?p=41:Well, hereâ�?��?�s an interesting article for you to read. After my initial feeling of being insulted, I setled in and read the article. This is only part one and my criticism would be, and security professional knows all of the things heâ�?��?�s talking about, that he doesnâ�?��?�t give us any solutions to fix the problems. Apparently this will come in “Part 2″ and I question whether he has the answers yet or is waiting to get feedback on his article and build some answers from that.Iâ�?��?�m not going to go into a long diatribe here; suffice it to say there are many ways to solve the problems, some of which will never be attainable and others which may help. The fact still remains; the IT Security field is constantly in a reactionary state. This puts security professionals at a disadvantage from the start and leaves them open to widespread criticism. There is no easy way to change this. IT security needs to be implemented with a holistic approach. You canâ�?��?�t solve the problem with technology alone, you need policies and procedures, and above all else, education. Any company that installs a bunch of security technology without going through the rest of the excercise will inevitably end up with some kind of security incident.Bruce Schneier said â�?��?Security is a process, not a productâ�?� and too many people are still missing his point. Yes we need the technology and very often that has to be implemented first, however thatâ�?��?�s not the end of securing your company, it is just one small piece.I look forward to installment number two in this series and hope that there are some genuinely helpful and effective suggestions.
David Emerson Says:
May 11th, 2006 at 3:53 pmNoam,
I think you’ve done a great job of “making a list” here, complete with bibliography. You’ve named and described many major security issues that are plaguing computers today — including many of the political and professional problems surrounding these issues. What was really missing was specificity about which computers are effected and why — throughout the article, I was unsure whether you were referring to computers in general, or only to computers running Microsoft Windows. Which computers are so insecure??Squarely on the Windows side is Active-X. Leaning in the same direction are Vulnerabilities in Security Software, and most spyware, viruses, and other parasites (though an ignorant GNU/Linux or Mac user could easily install spyware on his/her own computer — it’s just not quite as easy to do so right now in 2006.)On the other side of the spectrum (well, some of these are kind of in the middle) you mention Internal Attacks, Passwords, Encryption, Wireless Access Points, Phishing, Spam, and zero-day exploits, all of which are pretty OS-neutral (right?) Of course if MS takes too long to make a patch for a known exploit, they deserve criticism, but they’re by no means alone.As far as I know, Botnets and DDoS exist mostly because masses of compromised windows zombie systems. GNU/Linux and Mac systems are not completely immune to rootkits that could similarly enslave them, but do these Botnets *ever* use compromised non-Windows systems, and would it be easy to enslave them if Windows magically became more secure overnight? My inclination is “no”, but -I- don’t know!Of course, there’s lots of interoperability between all these different platforms and applications due to the internet. Spam goes to everyone regardless of what kind of computer they’re using. Warding off phishing attacks is no different from defending yourself against fraud — except that the internet allows much more anonymity for everyone including criminals; insecure SMTP servers can easily make the initial contact that’s so key to traditional fraud; and international criminals can often circumvent the laws of the victim’s country.Botnets can attack any server running any OS. What with this new (lack of) U.S. legislation, I’m surprised not to have heard of any of the telecommunications companies talking about restricting outgoing ping floods.I’ll look forward to the follow-up!~David.
John Howard Oxley Says:
May 11th, 2006 at 7:54 pmWhile I certainly don’t disagree with this analysis, and certainly accept that there are lots of ’causes’ to be addressed, I think there is one thing missing: this form of crime is not only easy, but also apprehension rates are low, and punishments are far too light. Technical solutions, and “blaming the user” only goes so far — we must have an effecient, effective, and proportionate system of punishing the wrongdoers [I suggest kneecapping for a first offense] if we are to make any progress on this at all.Otherwise, security professionals are just walking around with a big “Kick Me!” sign on their backs. Nor do I underestimate the difficulty of doing this sort of thing, but if it can’t be done, then a case can be made for giving up the InterNet for commercial purposes.
Lohan Spies Says:
May 12th, 2006 at 5:11 amFirst of all i donâ�?��?�t want to criticize any vendor for the security weaknesses in there products. Each and every vendor has some vulnerabilities in their code waiting to be found by some security professional and exploited by some malicious programmer.My view to address the security problems we face today would be to start by proactively increasing the awareness of how computers function in general to the internet community. After a successful completion of the first step we could start with Security Awareness programs. Successful Security Awareness programs address much of the vulnerabilities that exist in the security controls we use today. Like antispam, antivirus, content filters etc.Now and even more in the future, security awareness must be made the first step of general user training so that we can stop the simple problems we are facing today without implementing costly devices that try to mimic your users thinking!Security Awareness is an ongoing program that needs to be updated with the latest and greatest out there and retraining the users as needed.A computer cannot and will not be able to think like humans. They might mimic the human brain, but it will never be 100% reproduceable! A human stays human and all humans make mistakes, unless they are trained before hand to know what to look out for.Another concern is the size of patches. Some users in Africa donâ�?��?�t even have a 56K internet connection, what about downloading 260Mb for patching your system. We must investigate, and find a simpler more sufficient way of developing and applying patches in the desired time frame!
M. W. Meyer Says:
May 12th, 2006 at 12:26 pmNice battlefield summary, sir.There are two fundamental weaknesses to the corporate desktop that support the crimeware exploits – and crimeware is really the major problem my clients face today. One we think about consciously – connection to the Internet. In other words, if my customers disconnected from the Internet, most attacks disappear. It IS very worthwhile to lead your client through an exercise to ask “Why does your company need the Internet?” Although literally impossible for most businesses, I look for solutions for my government clients that approach this goal as a limit, such as virtualization and appliances. For example, separate machines for Intranet and Internet access, with either a physical or virtual airgap, vastly reduces exposure. Then if a naive user selects a link that installs a trojan, that attack gains no ground because the victim machine has no connection into the corporate network because of a virtual sandbox (e.g., VMPLAYER appliance) or a physical separation (Internet Thin Client for surfing).The other related vulnerability is even more problematic but less obvious – the multi-purpose operating system, whether it is Windows, Linux, or ReactOS. Most crimeware attacks don’t want to control your browser or email for it’s their sake – the goal is to use these processes to deposit code to gain access to more interesting functions or data on the system. By narrowing the function of the machine face exposed to the Internet to a single-purpose (e.g., browser appliance), the attack is chopped off at the knees.On the human side, I would comment that our lack of tactical sense and cleverness as security professionals is our huge weakness. With our standard network perimeters, we are like the football team that runs the same off-tackle play every down. We use the frontal defense, never considering other tactical options – cover, deception, movement. For example, most orgs would never consider a honeypot. Like the HP doesn’t really stop the traditional attackers of the 80’s and 90’s, whose goal was disruption, Crimeware attackers don’t want to be discovered. I can tell you from experience that deception is a counter tactic that makes corporate espionage attackers hesitate – because they aren’t quite sure how good you are.My One Cent
May 12th, 2006 at 11:09 pmNoam Eppel wrote an article called “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.” that generated a lot of noise in the security community. I decided to comment it in my blog too.Yes, it’s really too-FUD. But it also has great points about things that are real. Some of them are not always seen in other places, and I’m glad to see that a lot of them are things that I’m always reminding people about. Among them are:- Antivirus signature based approach failure
– Trojans and backdoors targeted to specific companies and organizations
– Trojans that instead of stealing credentials just perform funds transfers after the user is authenticated (I made a PoC presentation about it last year in CNASI). I was impressed to know that there are real cases now
– 0-days usage more common every day
– Internal attacks issues, one of the biggest motivators of my Master Thesis.He used these facts to drain conclusions, some right, some wrong. I agree that there is a raising complexity that makes security harder to do, that the cost of security controls is too high and that our “best practices” don’t solve the problem. This last one is one if my favorites, I have been saying that for some time.I have a friend that is a penetration test specialist. His approach gives him almost 100% success rate, even in companies that have advanced security programs. What is happening is that the main sources of information for the CSO, with their indications about most common threats, don’t drive to solutions that could stop my friend’s approach. The “by the book” CSO will be a easy prey for him. I believe that we need a deeper technical discussion about what we understand as “best practices”, making them more effective and clear. When I say technical discussion I mean “bring the good guys!”, specially those that are not related to off-the-shelf products vendors. Have you ever noticed that the “next biggest threat” always fit in the features description of those just released blackboxes? Wow, so every new threat can be avoided just by buying them?Back to the article, I think that its qualities end here. The author does not remember that our goal is not reaching 100% security, but the security level needed to allow the business to keep going. The “it just need one single vulnerability to fail entirely” approach is counting that defense in depth and compartmentalization are not being applied. It’s over reacting.I also think that there too much confusion about “home user” security and corporate security. Really, we need to improve a lot the security for the common home user, it’s very hard to a non technical person to keep a computer secure. But we can’t forget that we are not dealing with a common home appliance, like a refrigerator or a TV. There is two-way communication, there are new features being deployed on the fly, from different sources. The user has part of the responsibility to decide which features and which sources are safe, we can’t deny that. If you want to drive your car in the streets you need to know that your safety depends not only on roads conditions or on your car safety features, but also on decisions and skills from you and other drivers. It’s the same thing with the Internet and computers in general.There are still more deaths in car accidents than in wars!! I don’t think we are terribly failing in infosec as we are with traffic safety.There is another thing. Those numbers, increasing losses, frauds, etc. I can’t say for sure as I haven’t made a extensive research, but I bet that when paper money or checks were introduced, the frauds grown wild. As technology is gradually dominated the ways of making it secure evolve. However, if the technology is evolving too fast there is not time to security to evolve. It’s natural. Security systems created 10 years ago are not very effective today, but if we apply their current versions in the same problem for which they were created to, they would be almost perfect.Let’s try to imagine if the weapons evolution had happen in a much more accelerated form. We should have spears, swords 6 months later, muskets in two years and grenades after 3. If we compare this with the infosec we would be trying to make hand shields stronger and complaining that they were not protecting us from the grenades.
First, it’s necessary to make people in charge of security to know about it. They know about products, not about security. They think that they just need to build the lego with firewall+ids+ips+av blocks and everything is ok. We need education, make them skilled professionals. It can be dome with better training (SANS!), certifications, standards, code of practices, etc.
Second, user awareness. Sorry Ranum, but I think it’s more than necessary if our intention is to keep the flexibility and power in their hands. We can replace all our cars by a public transportation system and drastically reduce the accidents. Do anybody think this is possible? 🙂
Third, product intelligence. Keep running behind attacks, virus and Trojan signatures?? This is too archaic. The advantage of more frauds is that there will be more investments in security technology, bringing more money and brains to the research field too. With this investment we can reduce the gap between state of art technology and the security tools available.
Fourth, demystify insecurity. This not black or white, all or nothing, but the gray tone that each person or company can live with. When you go out to the streets there is a risk of being robbed, murdered, victim of an accident. These risks are, usually, getting higher every day. Have you give up going out of your house because of that? Maybe you have changed some habits (mitigating risk), but you accept that there is risk to keep doing what you need to do. You go to the bank, there is the risk of someone who saw you withdrawing following you later to rob you. You use the Internet banking, there is the risk of someone taking advantage of this. Nothing changes. People only need to be conscious that the problem exists in any situation, be it “real” or “virtual”.
May 13th, 2006 at 5:53 pmThis article is completely correct, and it’s something I’ve been telling people for years. In computer security, quite simply, the bad guys are winning. Don’t kid yourself if you think you’re actually safe online. Even if you do everything right on your local computer, use good passwords, and play it safe, eventually, information about you, outside of your control, in some database somewhere that you can’t get away from, will fall into the wrong hands…
Curtis Collicutt Says:
May 13th, 2006 at 9:16 pmFrom Reasonableinformationsecurity.com: “This article is really really good. Two â�?��?reallyâ�?�s good. I think we need people to keep talking like this..”
Rob Lewis Says:
May 14th, 2006 at 4:45 pmI liked your article; it was readable and you said things that need to be said, even though they are perceived differently by different people.�?� I know you got push back. Ranum did for his “6 dumbest mistakes in computer security” piece as well. Entrenched vested interest groups always get defensive with change because they like to protect their learning investment and revenue stream.�?� How do you think the whole industry would handle it if a new model of IT security arrived on the scene that made status quo technologies obsolete? Are they going to be happy? Not likely.There are many who agree with you, as your comment board shows. Others take a practical tact and say that although things are a mess, we have to find just good enough security. Finally, some others are still in denial. Yet I see the whole industry lining up behind Cisco and NAC and it will probably take about 10 years to get close to good enough. Mike Fratto over at Dark Reading just said there is no real
business case for NAC, and it does not deliver real data assurance. We are heading for even more crapola!
Steve Silverman Says:
May 14th, 2006 at 7:21 pmExcellent article, and I can’t wait for a follow up. I’ve added a link to your article on my site:http://www.successwithfailure.com/
Koos van der Merwe Says:
May 15th, 2006 at 3:35 amI liked the article, but I think one point is missed: there is usually a trade-off between user-friendliness and security. A 100% secure system is impossible as long as people need to use it. Every company / computer user will have to decide what level of risk is acceptable. E.g. as mentioned by M.W. Meyer above… don’t connect computers with critical private data to the internet!I think it might actually be a good idea to let go of the internet for commercial purposes (as John Howard Oxley suggested) and rather create a “new” internet, with security designed into it from the start (e.g. only allow “secure”/”trusted” nteworks to join it, running software that are certified as secure (maybe only allow OpenBSD ;-)) and that are not connected to the present Internet at all. But will the users go for it?On the other hand AFAIK, bank transfers (between banks) has been done on (older) private networks not involving the internet… has that been 100% secure?
Pete Hillier Says:
May 15th, 2006 at 12:37 pmWhile I enjoyed the context of the peice, I found that all the author did was point the fear, uncertainty and doubt (FUD) issues at the security practitioners rather than the organizations who are responsible and accountable to a great extent for the level of security they can afford and want.We all know that the assumption of risk is a balancing act at best that comes at the whim of the CXO’s who either “get it” or not.Frankly I don’t believe it’s all doom and gloom, nor would I point fingers in the direction of specific vendors, for example Microsoft. To think Bill Gates has taken a couple of Billion dollars in security investment internally, directly from the bottom line, to placate us all is just silly.If he can be blamed for anything, it’s perhaps tardiness.Barring all that, I look forward to reading the countermeasures.
May 16th, 2006 at 6:37 amIt is unfortunate that IT companies do not associate economic power with responsibility. Until such point that they are held accountable, why would they implement the necessary changes if it means it will make them less competitive.It should be the Dells that ensure that all newly sold machines are patched upto the latest level.It should be the Microsofts that DETECT and fix vulnerabilities in their own software.It should be the Ciscos and the AT&Ts that block unwanted traffic.At all levels, large and very profitable IT companies are making money from technologies, software and appliances they sell, security vulnerabilities included. Surely we can start insisting on security from them.If we don’t, the loop will continue to feed itself: the bigger the problem gets, the more products they’re going to sell, and with that the problem get’s even bigger…On the other hand… we cannot complain, that when they DO take charge, it means I can’t instantly speak to my colleague who’s sitting at a client on the otherside of the globe with his Linux installed laptop , using my TV remote, at the same time updating him on how seriously cool my new cellphone looks by showing him a live video…
Jason Goodburn-Moffitt Says:
May 16th, 2006 at 4:37 pmIt wasn’t much more than 30 years ago that identity security at banks was bullet-proof. It was done through relationship building.Not impersonal pseudo-relationships that an entire CRM industry has been created to manage, but the real thing.If the teller saw that the Martha Smith withdrawing money from an account wasn’t the Martha Smith she sees every Thursday at 4:30PM with her cane and sandwich, then she would raise the red flag, and the imposter Martha would have to explain herself to the Bank Manager, and more likely the Police.Unfortunately, we truly have traded security for convenience, and are now paying a much higher cost.
May 16th, 2006 at 10:41 pmAwesome article!- adli, kl
Gilly Says Says:
May 17th, 2006 at 6:47 amGood points, so if we all stop working what will happen??? We have policemen , right… is there still crime??? We have firemen , is there still fires?? Solutions are the key; but your right we need to be more pro active and two or more steps ahead.
May 17th, 2006 at 7:30 amThis is a great article. In Europe the use of strong authentication is globally in use for the protection of our online banking apoplication. THe baning industry has understood that without this no one will use their services. I’m still wondering why this is not the case in US ? Maybe a question of self assurance…
May 17th, 2006 at 12:03 pmAfter reading the majority of posts, it is clear that there are several reasons why we are in this particular secuirty quagmire. As an ex-tech support employee, I would like to add my own viewpoint into the mix:Somewhere along the way, it was decided that computers and the internet were ready for the mass market. They were not. For the same reason that Ford probably never considered the inevitable air pollution if millions of his cars were run on a daily basis, nobody reallly understood what was being unleashed. That’s how we got where we are now. That’s why the software and the operating systems (at least initially) are as insecure as they are.COntinuing with thye car analaogy, when many people started using cars, it was quickly realised that some standard of use was required: hence the driver’s license. Not every 10-year-old with an understanding of how the controls work is able to drive a car nowadays; because, THEY CAN’T OPERATE A CAR RESPONSIBLY OR SAFELY. Everyone in the developed world must get a license to legally drive a car. It doesn’t prevent all accidents from happening, or drunk driving, but could you imagine who would be on the road if we had no licensing system?End-users are unlicensed kids, who were taught how the controls work, but not taught how to use those controls responsably. Maybe it’s unfair, maybe the onus should be on the software developers who made things so difficult for the average user, but nevertheless, this is the situation we are in now. Whatever operating system, or security software, or whatever, is cooked up, users (who by the way leave their house and drive their computers at work just as irresponsably as at home) need to be educated in proper computer use.And tested.And licensed.
Duane Gran Says:
May 17th, 2006 at 2:15 pmWhile some applaud the semi-anonymous nature of online communications and stateless protocols, I believe part of the problem is that the whole network is built on a brittle trust. As a previous commenter noted, the Internet was designed to facilitate collaboration among people with a common interest. Much in the way that crimes are few and easily solved in close-knit communities, the good old Internet was practically an Amish town compared to our present global network.As I delve into a practical (or impractical, you tell me) suggestion, think about some of the problems we may have faced as our automotive network of roads developed and cars were largely unlicensed personal property. How did anyone identify a hit and run driver or a bank robber’s get away car, especially when it matched the ever present black Model-T?My proposal is most likely untenable, but I would be interested to know if it has any traction at all. I propose that identity, as we know it in meat space, should be part of the protocol stack for the Internet. It isn’t perfect, but our global network is full of anonymous black Model-Ts and it seems about high time that we put some license plates on the payload.
Alan Willcox Says:
May 19th, 2006 at 8:59 amThis takes things a bit too far. Information Security is practiced differently by every organization, within every country, and by each security professional. Just as there are valuable lawyers and rotten lawyers, there are valuable infosec practitioners and incompetent ones.For example: Codes of ethics must MEAN something. How many CISSPs have signed certification applications for applicants who don’t have the requisite experience? Have applications been audited? Have any certifications of these folks been revoked?
Chris Byrd Says:
May 20th, 2006 at 7:06 pmThis is an excellent article which does a great job of pulling together much of the current information on the state of infosec.I’ve posted a link and my impressions of the article in my blog at:
http://riosec.com/state-of-insecurityBasically, I feel that while this article accuratly reflects the state of (in)security today, there is a lot that companies and individuals can do to protect themselves. For example, I’ve never had a virus outbreak on any network I’ve been responsible for. By following defense-in-depth and default-deny principles, a little resources can go a long way.
Marshall Goodman Says:
May 23rd, 2006 at 5:46 pmGentlemen: Several thoughts have occurred to me on this issue and I too await Noam’s sequel. What we really face is how to deal with the ‘risk’ to the client. I have noticed all the standard comments, from ‘there really isn’t a problem’ to ‘we have to re-build/re-engineer’ the O/S. Hogwash! We need to concentrate on the client’s needs. The top three are (IMHO) as follows:
1. guarantee network/webserver service from interruption by DDoS/Trojan/Virus etc.
2.guarantee security of data from phishing and de-cryption
3.guaarantee website integrity from hacking and defacing.
The fundamental element of these three is that there be a minimal impact on the user’s experience. I want to come back to the risk part now. As an internet business, all three items are high on my risk chart, because any one of them would have an adverse affect on business. As a home user, data security and DDoS abuse of my computer are my high risk items. If I was a corporate user, with a media profile, again all three are important to me. How does business usually handle risk? By getting insurance. With insurance as an option, looking at our security issues, we can tell our clients that we can get ‘internet/Data/Webserver/Network security insurance’ that will pay something if there is a security breach covered in the policy. The catch will be that approval of the policy would be contigent on having the approved set of software and hardware installed and maintained by certified technicians that implement the ‘best of breed’ components to battle the foe, so to speak. The Insurance companies would become interested partners in the security software/hardware business and would refine their policies (and premiums) as the level of ‘risk’ measured for a client on an ongoing basis.
Ok. That’s my three cents worth.
Jon R. Kibler Says:
May 26th, 2006 at 4:01 amThis is probably the best article that I have read recently about the state of information security. It mirrors my thinking on the subject. And, deservedly, it isn’t too kind to us security pros either. A great wakeup call (as if we really needed one).Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
James Governor Says:
May 26th, 2006 at 9:25 amout-innovating? give me a break – many, if not most, of the examples you talk to are really losses, not thefts. corporations and governments just aren’t treating customers and citizens with any respect. Until businesses starts to care about their customers a lot of security is a waste of time and money. NEGLIGENCE is your customers’ real enemy.
Walt Rountree Says:
May 29th, 2006 at 1:20 amLoved your piece. Education is a key. But it is not necessary for people to learn software fixes. Many of the security vulnerabilities are not really technical at all. For the same reason you don’t leave your money laying around for anyone to take, do not put information on the Internet that you would not want evil people to have. I never believed it was safe to bank online despite what some security â�?��?expertsâ�?� say. Do not do it. It is always better to order by mail or telephone: or better yet at a store. Also, do not put information on any computer connected to the Internet that you do not want people to see. If you must use Quicken or some other program for your finances, be sure either to put it on an isolated box or otherwise back it up and remove it before being tempted to go online.
The ease of opening an account by providing limited identification has led to vulnerability for many companies and this is not in any way technical. Giving out your social security number used to be perfectly safe before accounts could be opened using it without other verification (For example, my drivers license number and US Army service number used to be my Social Security number. Nobody was worried in the 70’s.) Just as you cannot believe of all you read online, businesses and people cannot afford to be too trusting when using cyberspace. This practice of allowing an purchase to be made so easily by an unverified individual is what has led to the stories of â�?�identity theftâ�?� and must end before the losses become unacceptable.
Non-technical users need to use a Macintosh which is not vulnerable to many of the things which infect and ruin Windows computers. You cannot expect my grandma, bless her heart, to always keep her defenses up to date. She wants to share photos and email.
May 29th, 2006 at 5:28 pmThis is why security is a process – not an end product. While interesting and informative, you’re article simply isolates various security products, tools, and ‘ways of doing things’ along with each of their respective failures. Some of which are very old news (by tech standards).As infosec professionals know (as well as anyone who specializes in risk) there is NO way to secure anything 100%. That’s why we focus on risk mitigation, not risk avoidance.Ultimately, the problem is humans are still responsible for everything. Building the ’secure’ systems, developing and testing applications, patching, following-process and as long as that is the case, other humans will find a way to break the work.Is this really a big failure?Of course, your piece was sooo long with so many reference links, I may have missed something somewhere. Good reference piece though.
May 31st, 2006 at 12:53 amA sobering paper which rings 100% true. Yes, user education is a sine qua non, but it can’t be sufficient. I am a computer professional, reasonably aware of security issues, yet I can’t say I have the know-how to sit down at a computer and completely secure it; in fact, if you accept this article, no one can! Mostly we take the shotgun, i.e., ‘layered defense’ approach of closing every vulnerability we can possibly think of, and no doubt that’s a lot better than nothing, but this makes it all seem futile. I too am looking forward to the next installment.
Sierra Bravo Says:
May 31st, 2006 at 4:32 amNice article, though sensationalist in parts. My comments:1. Security is a journey, not a destination. It is a process, not a device. Therefore, it will never be “done” at any point.2. As a user of both Windows (> 15 years) and Linux (> 6 years), I would place the 95% of the blame on MS. Not just for turning out crappy code, but mostly for “dumbing down” OSes and destroying the necessary discipline that ought to have been there for every user. This has created problems for every other OS as well (”…why isn’t this as simple as Windows?”).3. A turning point in security during 2005-2006 is that the security business has been formally criminalized. Therefore addressing security requires legal steps as well.4. Free/Open Source Software must be promoted for other reasons as well, with peer review being most important. Sony couldn’t have smuggled in a root kit into the audio CD had there been some effort at peer review.5. Personally, I do not feel that there is going to be an immediate meltdown of the Internet, but loss/compromise of personal, corporate or government data would be very much feasible where sysadmins are careless6. The ‘dumb user’ remains the greatest threat for all developers. A balance has to be found between ease-of-use and security.7. Social engineering will also become an important problem as large numbers of neo-literate computer users take to the Internet.bests.b.
Gord T. Says:
June 1st, 2006 at 11:10 amHey Noam, after our chat last night, I hopped on-line to have a look at your article.I’ll start by saying I love the frog analogy – very striking and apt.I agree IN PRINCIPLE with what you’re saying insofar as we’re deluding others about our ability to have a secure cyberspace. I’m not, however, a great fan of FUD (fear, uncertainty and doubt). That’s what vendors have been using to sell us “the next great security product” for a long while.By propagating this “the sky is falling” tactic ourselves, we’re essentially validating the method – isn’t that also a failure? Ironic, that such a mistake should occur in an article where you’re trying to wake people up to failure. I’m not sure if this strengthens or weakens your position. The sensationalist way with which you’ve presented the info, though, is a great way to get people talking: 82 posts before me as I type this up – and that’s just the people who’ve bothered to comment. Good work.A few thoughts that occurred to me at various points while I was reading the article:- The information you present reminds me of statistics (damn, lying statistics). Anyone who has ever built more than one statistical report has probably experienced the phenomenon where you can pretty much make the data (facts) say anything you want based on the manner in which you present them. Do you think you’re presenting your facts in the most truthful manner, or have you presented them in a fashion to support your thesis?- I was reminded of news articles I’ve read describing how various government agencies, typically targetting police forces, are failing us by not providing sufficient protection: guns are rampant, organized crime is at an all-time high, kids are swarming people at malls, etc. Shouldn’t people take some responsibility for their own actions? Don’t we all (as a cohesive society – not just the police) have a responsibility to stand together and help each other out, rather than just pointing at the bad-guys and whining that someone else hasn’t done enough to protect us from them?- You point out that all the various tools are failing us, but many of the quotes you use are from the very sources you’re saying are broken: “IBM is putting out warnings” – yet IBM is one of the world’s biggest providers of security consultants who are “drastically failing”. So, why should we believe what IBM is saying if they suck as bad as the rest of us? Because they make a lot of money and are big? They’re about business, and every press release they put out is solely for the purpose of increasing or maintaining business. There are similar quotes where you say anti-spyware is failing us, but then quote an anti-spyware consortium, etc..- I remember when the AvanteGarde test results came out. It was a flawed test from the start – they used XPSP1 with known (patchable LSASS) vulnerabilities because that’s how “some vendors are still providing it”. That’s definitely a vendor failing, but really only proves that an unpatched system WILL get compromised – every OS vendor has been telling us that forever. Purely sensationalism for publicity.There are large parallels with what we do and what law enforcement does: cops focus on protecting people from crime, as do we. They do it in the physical space, while we do it in the virtual space. I think this analogy is even reflected in the names give to ourselves Blackhat vs. Whitehat, Attacker vs. Defender, Bad Guy vs. Good Guy.
As a result, I believe we should expect to have similar problems as law enforcement – the criminals are evolving, so we must evolve. Can we anticipate what the next attack mechanism will be? Sometimes. Can we entirely prevent it until the bad guy makes the first move? Probably not. As with law-enforcement, we’ll always be reactionary – it’s the nature of the beast.
[Noam writes= “People can come up with statistics to prove anything, Gord. 14% of people know that. 😉 Certainly, while certain statistics can be debated, judging by most of the comments and discussions around this article most people agree that things are pretty bad and that the security industry is facing a number of challenges.
Regarding the AvanteGarde test, they did deploy a number of systems including some which were not patched against LSASS vulnerabilities. However, I do believe that as long as “some vendors were still providing it” in that configuration it is a valid experiment because it does simulate the real-world experience of people (e.g., average home users) purchasing computers from those vendors.
And I agree completely that simply spreading FUD is unproductive. As I mentioned elsewhere, the article was written to encourage and promote discussion to help solve some of the current security challenges we are facing. I mentioned in the article that, “Part Two of this article will contain a list of what we must do to address our current failure.” And that, “It will incorporate your comments and feedback.”
Thanks for the comments Gord!]
J.J. van der Neut Says:
June 4th, 2006 at 1:01 amGreat article. Somehow the FUD is alerting, however unproductive to come up with the right solutions. You agree on that in your reaction to Gord.What scares me every time I face enterprise customer is the risk they are prepared to take due to the ice it takes to implement all necessary controls (regardless of the complexity). Paying for protection up to 5 times more than the functionality you use on your desktop/laptop is insane. (Securing a building is more expensive than the building itself?).Security vendors keep their products into a niche where they can make easy money. Security needs to be made a commodity (low prices). Leaving risks not addressed due to unrealistic investments is one of the worst things to happen according to me.Iâ�?��?�m looking forward to your part two. Success.
Robert W. Beggs Says:
June 5th, 2006 at 3:56 pmAs part of the weekly Canadian Information Security Newsletter, I have written an essay reviewing Noam Eppel\’s recent Security Absurdity posting. The introduction is below:Noam Eppel of Vivica Information Security has recently published an essay called â�?��?Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security (http://www.securityabsurdity.com/failure.php). I highly recommend that all information security practitioners read this paper. Its laudable goal is to provide a â�?��?long overdue wakeup call for the information security community.â�?� The essay is both a success, and a failure, in meeting this goal.Through its familiar tone and use of known examples, Noam describes a data security world gone mad. It is a well organized and believable story, particularly as this is the world we live in each day. Few of us can escape the daily events (disasters!) that face us at the office, and news headlines on the radio and in the newspapers reinforce the sense of insecurity once we arrive home. Noam delivers a good story, if not a novel one. We have all heard of events before, we have all had a sense of dread that it could happen to us, so we can easily empathize with the presentation. In that sense, Security Absurdity is a tactical success â�?��?? its security reminders achieve a quick, but limited victory.It fails for the same reason â�?��?? the stream of anecdotes and stories are the same ones that we hear every day when we are trying to shock people into action, or listening to a sales pitch that is playing on our fears. In the security industry, we call it FUD â�?��?? fear, uncertainty, and doubt. There is nothing new here; unfortunately, more FUD will not wake up the information security community. In a sense, it will never achieve the strategic importance that it should have in order to make the change that Noam envisions as critical.Noamâ�?��?�s conclusion that there has been a â�?��?total failureâ�?� in information security nags at all of us. The degree of the failure changes depending on the individual and the context of the discussion, but we all agree that something more should probably be done. Figuring out that â�?��?something moreâ�?�, and how to go about doing it, requires more than quick, but limited, victories.The goal of this essay is to extend the analysis in Security Absurdity, providing the critical assessment that it lacks. In particular, it will address the following:Noamâ�?��?�s paper never defines key concepts â�?��?? in an entire paper on security, he never once identifies what information security is, or how its success is measured. How then, can he ever state that it has failed?Noam places the blame for the total failure on the information security community; unfortunately, his analysis his limited. He focused on technology, completely neglecting the people and processes involved in security delivery. In the absence of 2/3 of the complete picture, I would argue that he may lack the evidence to hold any one group responsible.The use of fear, uncertain, and doubt, FUD, to sell the premise of the paper lessens its credibility and applicability. Many of the cited â�?��?proofsâ�?� are inaccurate, and poorly represent the point that the author is attempting to make.Taken together, these shortcomings represent a security absurdity that Noam never alludes to â�?��?? the failure of the security industry to critically examine its own performance. As a group, we must move beyond the FUD and fear mongering we malign in others when we speak of our own profession.
In effect, we must take a rational, almost scientific, approach to identifying and stating the problems that need to be addressed. Without such an approach, we cannot help to improve the situation. If you donâ�?��?�t know where youâ�?��?�re going, any road will take you there!
I believe that when the points above are addressed, Noamâ�?��?�s original conclusions will be strengthened. He has a valid thesis â�?��?? the security industry is not as good as it could be.
The full essay is available online from:
Robert W. Beggs, CISSP CISA
Bill Wardell Says:
June 12th, 2006 at 1:02 amThis story scare the crap out of me!! All I can say is until we lock up every hacker and cracker for a federal offense on 1st time offender… Then nothing is every going to change it’s not Microsoft’s fault….It’s our responsibilty to say it’s a CRIME and were not going to tolerate it any more!!!Thank you,Bill Wardell
omer taran Says:
June 19th, 2006 at 2:29 amit is an interesting article, though not so focused. and I guess this is the heart of the problem. most IS pros aren’t focused. trying to eliminate all threats makes you eliminate none.
mapping real business threats can be tiresome and I guess (no hard evidence here) a lot have given up and use same old threats which are always true and never rellevant. so I think the first step for an IS pro is to focus and make sure he knows what it is he’s protecting, why and how he should do it. then he/she should find their flaws (and there always are some).
as for statistics: you probably know the saying – they’re like bikini, they reveal a lot, just not the important stuff
June 19th, 2006 at 7:32 pm\”People are simply losing trust in the Internet.\”This trust, if it ever existed, was misplaced and tentative.If the internet is not a secure transaction environment, it is still a worthwhile and successful venture.Businesses who want a secure global transaction network should try to build their own, instead of whinging that they cannot piggyback on a deliberately open, information dispersive environment which does not provide, and has never intended to provide, safeguards to the authenticity of its users.Adding these safeguards destroys the very thing we have built, and this is one reason why there are so many attacks against those who seek to take ownership of the internet and convert it to a private, profitmaking, identity harvesting, marketing menace.And the remainder of the attacks (the larger portion) are by people working for those very aims.Give it up. The internet was built as a library, and nothing else. You want a bazaar, build your own.EXEUNT ROMANIS!
Iang (The Market for Silver Bullets) Says:
June 20th, 2006 at 5:40 amI’m glad that the meme is starting to emerge – yes, the “security industry” has failed completely. We need to get that message understood and accepted before we can move onto the next step – figuring out why, and what to do.Some of us have been exploring why this is so from the point of view of economics. It was originally suggested that the market for security appeared to be one like Akerlof’s Lemons. So, many people have looked at the literature and tried to apply those lessons.But (I claim) this is wrong – the market for security is an example of the market for silver bullets. In brief, this is a market where neither the purchaser nor the seller know about their product. How this works and what emerges in this market space I explore more in the working paper (click on link).The hard part is that this model explains why things are as they are, but it doesn’t do more than suggest why it is so bad and can get worse. There are hard negative factors we have to remove from society before we can improve on this – for example, I show that we have to eliminate the _fingerpointing_ that goes on before we move the market back to one of experimentation. That’s very hard.The water is very hot now. It will take a long time to cool!
Iang (Security Revisionism) Says:
June 20th, 2006 at 6:12 amAs you are asking for comments for a second part, here is a review on new directions from an economics perspective. I wrote there:“Security isn’t working, and some of us are turning to economics to address why this is so. Agency theory casts light on cases such as Choicepoint and Lopez . An economics approach also sheds light on what security really is, and social scientists may be able to help us build it. Institutional economics suggests that the very lack of information may lead to results that only appear to speak of security.”
Financial Cryptography Says:
June 20th, 2006 at 6:46 amSecurity Absurdity: The Complete, Unquestionable, And Total Failure of Information Security…Mark points to Noam Eppel. If you haven’t subscribed to the “total collapse of security and humanity as we know it” theory, then I’d encourage you to read “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security…
June 20th, 2006 at 10:54 amInteresting article and feedback, its always good to encourage debate however I canâ�?��?�t help thinking Iâ�?��?�ve heard it all before and itâ�?��?�ll be interesting to see if any action occurs as a result of the debate.While I appreciate your analogy of the frog in boiling water was used to make a point and is generally accepted as fact, it is actually wrong. A frog has the sense to leave an environment that is becoming uncomfortable never mind dangerous, as an illustration you may or may not know that declining frog populations is highlighted by environmentalists as an indicator of environmental pollution / warming (tree frog in the amazon), I know as I live with an environmental activist and hear about the plight of tree frogs whether I want to or not.I know it may seem like a small point, however your giving frogs a bad name, if they donâ�?��?�t like their environment they do something about it, we should do the same, its easy (and fun) to blame others but people need to take responsibility for there actions. If your not in a position to influence Microsoft do something you are in a position to influence.
Computer Security Says:
August 23rd, 2006 at 5:30 pmDave…Interesting topic… I’m working in this industry myself and I don’t agree about this in 100%, but I added your page to my bookmarks and hope to see more interesting articles in the future…
Some things MUST change. Says:
September 14th, 2006 at 3:53 amSome things MUST (and they WILL) be REPLACED (not modified). Sooner or later. Just targeting backward-compatibility without thinking and ACTING in regard to security will kill most businesses in the (hopefully) near future. The technology is here, but anti-virus/anti-spyware/anti-DDoS/anti-???… software corporations are making VERY BIG money by only mitigating the risk, so the strike in the heart of this mammoths will definitely not come from them, that’s for sure! Don’t wait for some Anti-Virus corporation or Microsoft to solve this issue! They never will, unless they will be forced to do it, either by the competition or by the law.The economic world drives innovation to be adopted, but that does not mean that technology it isn’t there! It means just that some people get REAL money just giving you every month a piece of the meat, thus making you hungrier and them … .I’ll say that starting with core networks protocols and going forward to an OS built with security in mind (OpenBSD, GNU/Hurd, … ) will be one viable approach. Just TALKING about security, making risk evaluations and statistics WOULD NOT make that difference that will really count for answering the simple, yet decisive questions that users have: “If in the past I didn’t trust the Internet, do I trust it now ENOUGH? How many vulnerabilities are presented every month about that OS? Why is vendor X still write code in C when he want to reach the maximum security level that it is possible? …”Just my 2 cents about it..Mr. M. P.,
Pierre Menard Says:
September 24th, 2006 at 1:46 pmRather than taking a purely defensive approach, how about attacking the bad guys directly (eg. creating virus wizards that expose the identity of the perpetrator, etc). As long as people continue to easily get away with the crime it will just get worse.
Martyn Thomas Says:
October 18th, 2006 at 4:15 amMost security vulnerabilities arise from poor coding (unlike safety vulnerabilities, which are generally specification errors).Most of these coding errors could be avoided if developers used type-safe languages and decent static analysis tools. Yet people who call themselves professionals continue to use languages such as C and its derivatives, with weak type checking, no bound-checking on arrays, aliasing, pointer arithmetic, and language features that are formally undefined and whose meaning may change from compilation to compilation (such as the order of evaluation in expressions).Coding is hard – we need all the help we can get if we are to avoid mistakes. In my opinion, the continued use of weakly-typed languages should be considered prima-facie evidence of negligence by the software vendor, and expose them to liability for security breaches.Martyn Thomas
November 28th, 2006 at 11:28 pmThe single best thing to do is write the operating system and tools in Java or other “safe” language. This removes from possibility ALL overflows, underflows, double-free’s, pointer arithmetic errors, etc. Then the only thing left is the higher-level attacks like impersonations, xss, that kind of thing. Even these can be usually ’solved’ by restructuring the information (for ex in xss, just delivering the same scripts outside of html instead of inline makes it pretty much impossible).There’s simply no excuse why we don’t have fundamentally safe systems.
Atif hussain Says:
November 29th, 2006 at 12:42 amRE: Some things MUST change
When humans invented knifes/computers/internet, it let mankind perform many tasks with lot more ease than was earlier possible. The technology empowered the user to its use or misuse.
The misuse was not just tolerated but also cashed. It went on for long.
Only then the society woke up and brought in a completely new system with inbuilt checks.Mr. M. P., its not yet time, just think of the costs…
Joe Blow Says:
November 29th, 2006 at 3:37 amI think everybody, including security professionals are missing the point entirely. Bruce Schneier will tell you it’s an economic thing. As long as there is no economic consequence for having your computer compromised and spamming millions of others, there is no incentive to clean it up. As long as Micrsoft does not have to pay for the damages, there is no reason for them to build in security. The problem is not technical in any way, shape, or form. We do not see the botnets and keysttroke loggers running on Linux or Mac or BSD. Some OS’s are relatively free of the major security issues.Don’t waste your time on the little things like DOS attacks that can’t be prevented or “local privalege escalation” which is not the soruce of major problems. You need to focus on “remote command execution” which leads to privilage escalation. This is the entire problem in a nutshell and it affects Micrsoft OS’s almost exclusively.As long as you keep calling it a “computer virus” instead of a “Microsoft virus” people will never undrestand.So we have two problems. Number one, Joe Average thinks all computers are like this and nothing can be done other than buy more anti-(virus, spam, rootkit, trojan, key-logger, name-your-poison). And number two, Joe Average just doesn’t care that his computer is sucking other users into phishing scams as long as he can get his email and surf the web.The second problem is really the worse problem. As long as there are not consequences for their computer’s actions, people just don’t care what happens in the background without their knowledge. Just ask them! I have. I have attempted to warn many relatives and the answer is always the same. “As long as it works for what I want to do, I dont care what else it does!”The solution is simple and has nothing to do with security or technology. And the same can be said for spam. Simply outlaw it and hold people accountable. As long as they are not accountable for the behaviour of their computer there will be no end to security and spam issues. As soon as people are fined a thousand dollars per incicdent, it will end very quickly.If you think that this wont work because it’s only one country like the U.S. there are many arguments that I wont detail here against that viewpoint, simply because we get intomuch more detail about how the whole security thing relates to spambots and where most of the computers are and who the ultimate instigators are. But trust me, viagra is not a Japanese or Korean industry.
November 29th, 2006 at 4:20 amNothings going to change. Security folks don’t know how to solve *everything* – so they just hide the bits they don’t know, or pretend they don’t exist or are not important, and go on to peddle their warez with giant bogus security claims.Here’s a list of problems:
http://chrisdrake.com/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data.htmlHere’s a big security company -http://www.pgp.com/ – bold enough to write “Ensure end-to-end security” on their actual home page… naturally their idea of “end” excludes anything they don’t bother to protect against (eg: phishing, hardware+software)…
November 29th, 2006 at 1:32 pmWe need to change our perception of security.Physical Security and Information security are the same. The locks(firewalls, access control…) keep the honest people honest. The criminals just kick the door in.We need to assume that we will be attacked successfully and work hard to limit the impact.Regarding Joe Blows comment on Linux/BSD not having these issues. Don’t be fooled, It definitely is a economics thing. If you are going to spend time/resource trying to create a virus/malware/bot/… you want to get the biggest bang for your buck. You are going to write it to run on the majority of the computer connected to the Internet. Windows!If tomorrow everybody switched to Linux the criminal effort would switch as well.
Bob Blakley Says:
November 29th, 2006 at 3:30 pmI published a paper ten years ago in the proceedings of the New Security Paradigms Workshop which observed that security had failed for specific reasons and would continue to fail unless we rethought the foundations of our approach to the problem. I suggested a number of new foundations which might be more effective that the structures we’re currently using. We didn’t rething our foundations, and security continues to fail in all sorts of perfectly predictable ways. The paper is called “The Emperor’s Old Armor”; you can find it here:http://portal.acm.org/citation.cfm?id=304855
November 30th, 2006 at 1:05 amHere is the root cause: it’s a scaling problem.The business model for the scammers scales as the internet scales, but the business model for the security professionals does not.Expect a per-computer or per-connection tax/payment that is used to fund educatin and security.
November 30th, 2006 at 2:22 amI haven’t reda all the comments – doubtless someone will already have said what I am going to say, but I will say it anyhow. My belief is that the problem is people (I guess this is kind of like saying it is economics, but one step higher I suppose) – manifested in three ways:1. People driving software development (not the developers themselves, but senior managerment et al) would rather a product on the shelf today, with issues, rather than waiting for it to be ready. Security is one of the many aspects of software that is quickly pushed down the priority list, or compromised.2. People using computers, aside from a small minority, DONT care about security. You dont need to secure your TV do you? These people, who see the PC as an appliance, are in homes, offices, on lap tops, and include the smart, the dumb, the old and the young, the rich, the poor, the good , the bad and the ugly, basically people from every walk of life. “Educating users” – a concept I support – will just not work. There will always be people who cant, wont or just dont want to learn, and these people will have or will get computers – and uless there are very big (and doubtless ‘upopular’) sticks to beat these people with, they wont.3. People want to make money, people are greedy, or envious, or just desperate, and will try to take money from others. This, for the foreseeable future, will always be the case. And whilst it is the case, these people will use whatever means they have – and computers are damned convenient way of robbing people. Much less of this messy physical violence, with additional convenience and anonymity to boot.Solutions? I dont have any. I cant even think of any half-baked ones. Maybe in the future software WILL get better, and the problem will go away. I dont think that will happen though – so all that can be done is to change that which is in my sphere of influence – keep myself abreast of issues and look after my family’s machines, and keep them informed of the risks. Doesnt seem like much of a solution though does it?If only we could actually implement the evil bit (RFC 3514)…….
November 30th, 2006 at 2:28 amOh yeah – one last thing – the people that can change this, like governments and so on, dont understand the issues. I challenge ANY politician FROM ANY COUNTRY to be able to explain the difference between a ‘virus’ and a ‘trojan horse’, let alone understand the idea of spam bots, distributed denial of service attacks, and so on.Yet we expect them to legislate against these things?
December 5th, 2006 at 9:27 amPart of the problem is the insecure programming languages still in common use. C is tailor-made for buffer overflows; java and .net are better, but still not ideal; google for “e language” to see what a language designed for real security looks like.Also, of course, it’s worth noting that most of the problems you mentioned were Microsoft issues; Linux users don’t have near the hassle. Partly that’s because Linux is less of a target, but it’s also due to a design that’s inherently more secure. For extreme security, you can always go with OpenBSD, which is downright obsessive about it and hasn’t had a remotely-exploitable hole in something like eight years.As for web apps…yeah, that’s a big problem. Very low bar for entry, lots of programmers slamming together scripts without the slightest thought about security. I work in this realm, and I could tell some horrible stories. Even with a framework that provides decent security, programmers who don’t understand what the framework provides will build their own solutions, with gaping holes.
December 5th, 2006 at 10:32 amIn this entire article, I haven’t seen the culprit and real threat to the problem – laziness. Networks are as secure as the engineers and help desk staff want them to be. The answers are available if the willingness is present with the team. “You can’t do anything about it” … “We can only do what we can do” is the mantra of IT professionals that throw up their hands and walk away at night, OK with the fact that millions can be lost. Companies will get cracked, but the persistence to find new solutions can’t be lost.
Mauricio Ramirez Says:
December 5th, 2006 at 2:45 pmJa! Microsoft guilty???? We live in a very defective world, full of thieves and bad people, full of it. It’s like saying that we should blame constructors because our houses are insecure! When you suffer a robbery at your house, you have to look around it, your neighborhood, etc, not blaming on the contructor. And, good job on the linux guys, very well done! Yeah right! Like Linux is a paradise!!! Como no señor!I remember that programmers for NASA (where security means losing a spaceship with people and a lot of money) write 15 lines of code per day! Can you imagine writing Linux or Windows at that speed? We would get nowhere. The problem is with the twisted minds of the bad people in the world. We have no defense against that. No defense.We have come to a point where developing software cost 1 dollar and securing it cost may be 5 or 10 dollars! Who is paying?