Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Derek Schatz

Are We Less Secure Now Than Before?

The information security professional faces a curious dichotomy in this field. Ask a bunch of security pros and many will tell you a main reason they enjoy it is that there is always something new happening. But that is often just a euphemism – “new” often means a growing threat against which the enterprise is not well-equipped to defend. We like to feel like we’re making headway in our security efforts (and getting rewarded for it), but sometimes the growing threats can destroy the progress we’ve made. I’ve been in infosec for a good twelve years now, and can’t remember being this pessimistic about things. This gloomy mindset of mine has a number of current drivers:

Spam tsunami: The spam problem has not gotten better, despite the efforts of lots of really smart people and lots of money thrown at the problem. Spam continues to grow as a percentage of total email, and money continues to be made by generating it (really, who actually buys ED medication through an email solicitation? someone is…) Now, if spam was still relatively benign like it used to be, then it’d simply be a (major) nuisance. But it has become a deadly attack tool – the unholy alliance between spammers, malware writers, and organized crime has resulted in spam that can take down your enterprise or hijack your data.

Really nasty malware: I think malware writers are getting better at their craft faster than anti-virus vendors are getting better at theirs. Why? Lots of money, and the ability to work beyond the reach of law enforcement using tools that virtually guarantee untraceability. For example, note the increase in worms and trojans that actively target your anti-virus software and attempt to disable it. Also note the increase in rootkits that are undetectable or unremovable. When even Microsoft admits that wiping your operating system and starting from scratch is the only solution, it’s time to worry. Educating users on safe surfing habits only gets you so far when even legitimate websites may be compromised via the latest zero-day web application vulnerability.

Vulnerable web applications: The range of tools available to the web application programmer has never been greater, yet application and web services security expertise has not kept pace. Companies continue to ignore software engineering best practices and don’t spend enough money on training for their developers. This results in an ongoing bumper crop of vulnerable sites that quickly get compromised and potentially start infecting site visitors. Add to this the vulnerabilities that continue to be found in the tools and system software themselves, and the attack surface has never been greater.

Increased sophistication of adversaries: Internet threats continue to get more dangerous as adversaries around the world become ever better funded and skilled. The danger took a quantum leap higher a few years ago as organized crime saw there was money to be made and started backing malware development to enable their traditional rackets of extortion and theft. Why extort locally when you can do it from five thousand miles away without any risk of apprehension? And there is much intel indicating that even nation-states are funding activities such as industrial espionage in an attempt to boost their domestic industries and defense programs.

Endpoint security weaknesses: I still am not convinced that anyone has figured out how to solve the endpoint security problem – reliably and consistently. Therefore your network continues to be at risk from PC’s that have picked up something nasty at their last visit to the coffee shop WLAN and then readily share it with fellow users.

Commercial operating system security: Once I thought that you could eventually achieve a relative sort of security nirvana with a COTS OS, by patching diligently, locking down the configuration, and being careful where you surfed. Now, in the face of the sorts of threats I listed above, I’m convinced that COTS OS’s are impossible to make secure while still preserving usability for the average user – Mac OS, Windows, Linux. None is measurably better than any other, they differ only in how many security researchers are paying attention to it. Sure, there are some really secure operating systems out there like OpenBSD and Trusted Solaris, but they will break most commercial applications and are not well-suited for desktop use. So the typical enterprise with typical users will continue to fight the never ending cycle of patching as new flaws continue to be found in their installed base of PC’s. This is a battle that we lose a little more each month.

So what to do in the face of all this gloom? I must admit I’m still trying to figure it out, but can at least say that now more than ever the need to implement and rigorously adhere to infosec best practices in your enterprise has never been greater. Focus less on buying the latest gee-whiz point solutions and more on uncovering the real threat trends in your organization and developing the right processes to deal with them.

3 Comments

  1. Scott Hicks Mar 18, 2008 at 2:10 pm | Permalink

    I think this is a great post, anything that raises the awareness out there of the dangers on the internet, and the face that they are only getting bigger is valuable in my opinion.

    That being said, I do think more credit should be given with regards to spam, and spoofing preventative measures that different companies have been developing. DKIM and Sender IP to name are helping to increase the effectiveness of spam filters. Companies that focus on authentication measures, basically the BBB or Verisign of email are helping to build trusted white lists of corporate contacts.

    From a technical standpoint, efforts are being made, and companies are taking more responsiblity on their side to protect and authenticate communications between themselves and their consumers.

    It is the individuals that value convenience over security that are the prime targets at the moment, and until they are willing to take those extra few seconds to really look at what is in their inbox, then no technology solution is going to be a panacea to the spam problem.

    Just my humble thoughts.

  2. Martin Mar 27, 2008 at 9:35 am | Permalink

    Security will never get perfect. Maybe security will never even be better and we have to fight to just keep it at the same level.

    Maybe you have cherrypicked one the weakest links in our current ICT world so it looks we are getting worse in “all” aspects. One could cherrypick the things we are getting (almost) right and prove otherwise?

    The spam thing… the network is definitely getting more and more of it… but how many of them reach the destination mailboxes? More of it or less? Personally, I’m getting less spam than I was some 3-5 years ago… So, is the problem worse or is better?

    I am in ITsec for 8 years and I must admit that I don’t feel safer today than I was years ago (so I may agree with the original column after all). The question is if it isn’t just a POV of a security specialist – you are getting better, your world is getting bigger, you are naturaly interested in “bad” things and so – you are seeing more of them!

  3. Derek Apr 3, 2008 at 12:53 pm | Permalink

    @Martin:
    Of course, the fundamental problem in security (indeed, in the military and counter-terrorism realms even more so) is that an attacker need only be successful once, while we the defenders need to be successful ALL THE TIME. My point is that the threats are getting really nasty, so even if your defenses are 99.99% effective the stuff that does get through can be devastating. Take spam, for example. Five years ago, spam was fairly benign. Annoying by it’s volume, but still benign. Now, phishing and malware threats are being carried in spam messages, so a user opening just one message by accident can cause a rootkit infection, and perhaps even a broader network outbreak.

One Trackback

  1. […] Derek Schatz says it best when it may be possible to think about a relative security nirvana by patching your Operating System diligently, locking down the configuration and being careful with where you surf and what you trust on the Internet. For the average user, it is hard to make an OS secure but at the same time preserving usability, doesn’t matter whether the Operating System is Windows or Linux or Mac OS. None is measurably better than the other and they only differ in how many security researchers/ malicious hackers are paying attention to it. Sure, there are some really secure Operating Systems such as OpenBSD or Trusted Solaris, but how many of your applications would run on them, those required for desktop usage. […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*