- BlogInfoSec.com - https://www.bloginfosec.com -

InfoSec is Ritualistic, Not Innovative … It’s a SIN!

The 6th Annual IT Security Entrepreneurs’ Forum (ITSEF 2012) took place at Stanford University on March 21, 2012. It was produced by the Security Innovation Network, which is careful to call itself SINET rather than SIN. You can see the conference agenda www.security-innovation.org/ITSEF_2012-Agenda.htm [1]  While I did not attend the forum, I suspect that it was an interesting get-together judging from the topics and the credentials of presenters.

The “big thing” in cyber security today is innovation—game changing, clean-slate innovation— which, to my mind, is a clear admission that current approaches aren’t hacking it (pun intended). My March 26, 2012 BlogInfoSec column, “Infosec Defenders are ‘Losers’ per RSA,” focused on the reported comments of big-name presenters and attendees at the 2012 RSA Conference. To a person, they admitted that the attackers have the upper hand and we don’t have the tools or other mechanisms to take back the initiative.

This view was further exemplified in an article in The Wall Street Journal of March 28, 2012 by Devlin Barrett with the title “U.S. Outgunned in Hacker War.” The article is mostly about Shawn Henry, executive assistant director of the FBI, who is leaving the agency for the private sector after more than 20 years of service. He is quoted as saying “You never get ahead, never become secure, never have a reasonable expectation of privacy or security.” If this gloom and doom attitude, accompanied by the even gloomier view of CSIS senior fellow James Lewis, is intended to invoke action to remedy the situation, then I have to say that it doesn’t appear to be working. Some other comments later in the article seem to be somewhat more productive.
Mr. Henry describes a situation that I have long held to be the crux of the problem, namely, that the vast majority of companies don’t even know that their security has been breached until informed by the FBI or others, often months or years after they have been broken into. Mandiant’s CSO, Richard Bejtlich, reportedly testified before a government commission about intrusions traced to Chinese hackers, saying that 94 percent of companies, which his firm had identified as having been hacked, were not aware of the fact until they were told by someone else. This is something that I have been saying for years, except that I believe that the numbers are even scarier when one includes insider exploits. My guess is that fewer than one in a thousand breaches are actually discovered, and what greatly contributes to that horrendous record is that companies’ software-intensive systems do not generate, nor do the companies collect from other sources, data about what is actually going on inside themselves.

As I have mentioned many times before, one approach to reducing this problem of not knowing what is happening within your systems is described in my article “Creating Data from Applications for Detecting Stealth Attacks,” published in CrossTalk (September/October 2011) at http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Axelrod.pdf [2]  A further requirement is to test the functional security of applications much more rigorously, as described in my article “The Need for Functional Security Testing,” in CrossTalk (March/April 2011) at http://www.crosstalkonline.org/storage/issue-archives/2011/201103/201103-axelrod.pdf [3]  Until and unless we make the considerable effort needed to much more completely instrument our applications, test them along as many conceivable paths as feasible, and act quickly on the information that we glean from these efforts, the situation will only worsen as the pundits warn. There is no silver bullet … only hard work, and a lot of it, will make inroads. So let’s stop hoping, and get moving.
Towards the end of the NYT article, Mr. Henry makes the statement that “the most valuable data should be kept out of the network altogether,” citing a recent case in which more than $1 billion in R&D intellectual property was stolen. Hallelujah! Avoidance (versus protection) is often the best, and the least expensive, means of protecting data, as I and a few others have said many times. Yes, you have the carping of those who enjoy the convenience of remote access and being able to get at more information than they need to know. So what? If you were to charge them for the access based on the estimated losses that such convenience might offer, I am convinced that they would soon back off. “Sure you can access the company’s crown jewels from your iPad, but it will cost you $10,000,000 per day. Is that OK with you? No? Then I’m sorry, you can’t do it.”