The security industry can get a bad rap by opinion writers when most of the news making headlines in tech security is about another hack or data breach. CNet posted “Why the security industry never actually makes us secure” which states there are two hurdles between present day and a purposed security Nirvana. The article stated “First, there’s the seemingly endless arms race between hackers and defenders, one that shows no sign of slowing anytime soon” and “Second, there’s the fact that attackers are–at least for now–much more motivated to get in than companies are to keep them out”. I could not agree less with these two statements.
There seems to be a mentality in society that security must eliminate all risks forever and fit into a self managed box that costs next to nothing to make or purchase. I do not think this is a solution that will be developed and not simply because that would put me out of work. Society is evolving to a more interconnected web communicating over a public network that introduces new risks based on a shifted or expanding threat spectrum, depending how you look at it. Security cannot be only evaluated in terms of technology and security can’t be solved by treating all risks the same.
Endless Arms Race
First, there is not an arms race between red and blue as that would imply new sophisticated tools are being created and used in attacks by the masses. As shown in the recent Imperva report, recent hacks claimed by Anonymous were using open-source and off-the-shelf commercial tools of the trade as well relying on shear people power to turn door knobs in hoping for an opening. In observing IRC chat forums and social media I see more of an activist movement that is introducing hacking as a form of social disruption around political and economical issues then a call to arms.
Depending on motives of an attacker(s) there may be some digital thieves sneaking into a side door per say but lately most of the real damage has come from hacktivists against what they have deemed evil entities. Unless the majority of hacks are being hidden, which is possible, I don’t see these digital thieves needing to use advanced weaponry in exploiting web based applications, weak passwords techniques and patch vulnerability exploit. These hacks make me believe part of the problem today is from companies trying to do more with less and not an endless arms race by hackers.
I do not mean to discount Stuxnet, the sophisticated worm presumably linked with government sponsorship, but the vast majority of the population does not need to worry about such a risk of attack. Bruce Schneier suggested that Stuxnet took eight to ten individuals working for months to develop such an exploit that took advantage of a zero-day weakness. For a hacker to create such a complicated espionage or sabotage tool would require advanced understanding in automated manufacturing system components just for development and not taking inconsideration time or expense for deploying the exploit. These types of attacks are very relevant for some organizations and governments but do not need to be feared by all equally.
There has been advanced persistent threats on major industry and government entitles for some time to date but I can’t remember reading about one since Google and RSA, which evidence points to not be performed by the average hacker.
No Motivations to Defend?
Secondly to say that defenders of security at an organization are not as motivated is a ridiculous statement. Companies that have sensitive data, whether credit card numbers to intellectual property, are motivated to keep this data secure for reasons from brand tarnish to legal liability. Security is not only about motivation, although it doesn’t hurt; security is about defending your assets based on risk and implementing sound operations in preventative, development and incident management. Depending on an attacker’s persistence and sponsoring ability for the hack, anyone can eventually become a victim as after all we are humans and not robots.
Many professionals in the security industry will say that it is not about how but when you will be breached. People hear this phrase and automatically they believe it is true for their business or organization. There will probably never be the same level of excitement for stopping an attack in the media as most of the incidents are not even reported or known outside a select group. Combining a low public attention with false negative rhetoric will put a road block in front of you before even starting the fight.
Even with obstacles in the way companies are seeking to protect their data and brand more today than ten years ago. I feel that there is plenty of motivation for most businesses to address security before the US politicians start adding to the conversation or maybe it is already too late.
Answer to Security
Many people want to turn security into a cowboy shooting a “rusty revolver” but this is only sensationalizing security more than building on fundamentals and efficient operations to protect assets. The majority of security consultants I know are not cowboys but nerds and those plug n’ prey devices to block all danger do not nor will not exist. Security doesn’t have to be rocket science for all cases and sometimes thinking simple with common sense will save you or an organization from being breached.
New risks and threats are always going to be in the future of technology as we build faster than we can secure; just think how long we would had to wait for smartphones in the workplace if security was priority number one. I tell folks to break down security into the basic building blocks of technology and address security in operations through risk assessment, standard processes, relevant education and automation where appropriate. I am truly amazed to see companies that span multiple continents but do not have a chief security officer as in the case when Sony was compromised.
There are many companies, some not so reputable, that are making a statement and living through technology that is publicly facing without being taken down or compromised by the Internet pirates. As with those companies there are security professionals that strive to mitigate risk and know that security is ever changing with no one magic box that is going to protect every aspect of security in a complex international business world. I am certain that there are many qualified Neohapsis security consultants that would be glad to talk with you about security, risk and helping you take secure ownership of technology.
Two Tasks to Help
IT operations and management need to understand the risk on business technologies based on varying threats which will vary based on industry sector and overall footprints Gaining a perspective of an environment through a quantitative risk assessment allows for an entity to be proactive, defend strategically and respond swiftly should an incident arise. I believe that security must come from a top down model with full support to security in environment, tools, accountability and education.
A key part of IT security needs to be a strong patch and vulnerability management process that covers full business model of applications and infrastructure systems. A successful patch and vulnerability management process should become a route activity to operations where it is performed with little to no downtown; this is achievable I kid you not. There has been a great focus in secure software methodologies over the last years with Microsoft’s Security Development Lifecycle and Building Security in Maturity Model that are constantly evolving with the culture of attacks to better protect applications from SQL injection and cross side scripting exploits to name some.
There are a few other factors that go into security besides a good patch and vulnerability management process and performing an annual risk assessment. If you are seek more understanding in security for your business then reach out to our excellent Neohapsis knowledge base on security professionals.