The information security professional faces a curious dichotomy in this field. Ask a bunch of security pros and many will tell you a main reason they enjoy it is that there is always something new happening. But that is often just a euphemism – “new” often means a growing threat against which the enterprise is not well-equipped to defend. We like to feel like we’re making headway in our security efforts (and getting rewarded for it), but sometimes the growing threats can destroy the progress we’ve made. I’ve been in infosec for a good twelve years now, and can’t remember being this pessimistic about things. This gloomy mindset of mine has a number of current drivers:
Spam tsunami: The spam problem has not gotten better, despite the efforts of lots of really smart people and lots of money thrown at the problem. Spam continues to grow as a percentage of total email, and money continues to be made by generating it (really, who actually buys ED medication through an email solicitation? someone is…) Now, if spam was still relatively benign like it used to be, then it’d simply be a (major) nuisance. But it has become a deadly attack tool – the unholy alliance between spammers, malware writers, and organized crime has resulted in spam that can take down your enterprise or hijack your data.
Really nasty malware: I think malware writers are getting better at their craft faster than anti-virus vendors are getting better at theirs. Why? Lots of money, and the ability to work beyond the reach of law enforcement using tools that virtually guarantee untraceability. For example, note the increase in worms and trojans that actively target your anti-virus software and attempt to disable it. Also note the increase in rootkits that are undetectable or unremovable. When even Microsoft admits that wiping your operating system and starting from scratch is the only solution, it’s time to worry. Educating users on safe surfing habits only gets you so far when even legitimate websites may be compromised via the latest zero-day web application vulnerability.
Vulnerable web applications: The range of tools available to the web application programmer has never been greater, yet application and web services security expertise has not kept pace. Companies continue to ignore software engineering best practices and don’t spend enough money on training for their developers. This results in an ongoing bumper crop of vulnerable sites that quickly get compromised and potentially start infecting site visitors. Add to this the vulnerabilities that continue to be found in the tools and system software themselves, and the attack surface has never been greater.
Increased sophistication of adversaries: Internet threats continue to get more dangerous as adversaries around the world become ever better funded and skilled. The danger took a quantum leap higher a few years ago as organized crime saw there was money to be made and started backing malware development to enable their traditional rackets of extortion and theft. Why extort locally when you can do it from five thousand miles away without any risk of apprehension? And there is much intel indicating that even nation-states are funding activities such as industrial espionage in an attempt to boost their domestic industries and defense programs.
Endpoint security weaknesses: I still am not convinced that anyone has figured out how to solve the endpoint security problem – reliably and consistently. Therefore your network continues to be at risk from PC’s that have picked up something nasty at their last visit to the coffee shop WLAN and then readily share it with fellow users.
Commercial operating system security: Once I thought that you could eventually achieve a relative sort of security nirvana with a COTS OS, by patching diligently, locking down the configuration, and being careful where you surfed. Now, in the face of the sorts of threats I listed above, I’m convinced that COTS OS’s are impossible to make secure while still preserving usability for the average user – Mac OS, Windows, Linux. None is measurably better than any other, they differ only in how many security researchers are paying attention to it. Sure, there are some really secure operating systems out there like OpenBSD and Trusted Solaris, but they will break most commercial applications and are not well-suited for desktop use. So the typical enterprise with typical users will continue to fight the never ending cycle of patching as new flaws continue to be found in their installed base of PC’s. This is a battle that we lose a little more each month.
So what to do in the face of all this gloom? I must admit I’m still trying to figure it out, but can at least say that now more than ever the need to implement and rigorously adhere to infosec best practices in your enterprise has never been greater. Focus less on buying the latest gee-whiz point solutions and more on uncovering the real threat trends in your organization and developing the right processes to deal with them.