Posted by: kenwbudd | February 3, 2009

Dirty Laundry – leaking Security

Oh what a tangled web….
Your security providers cannot, and will not, tell you the whole truth about their security business because security is a state of mind. An illusion based on perception and relativity.

We accept the need for security service providers to specialise in the protection of our functioning environments and see their task as preventing or reducing unacceptable risk. You would be very naive to think they do this for altruistic reasons. The goal of the security market is to make money and they are doing very well, thank you.

As with all profit focused companies; 1) Security companies specialise in niche markets and have varying degrees of success in these markets 2) There are universal weaknesses in the structure that are not being addressed because;

  • the technology or algorithms are not sophisticated enough, yet
  • the market won’t pay the price in restricted access, additional filters /controls that slow throughput and diminish transfer speeds
  • they are chasing a shape-changing, highly motivated and relentless attacker, some of which are government sponsored
  • Others

Here are some secrets of the security industry and practical ways to command honesty from your trusted security providers.

  • Antivirus certification omissions – One of the biggest secrets in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode e.g. nonreplicating Trojans. Although Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.
  • There is no perimeter – If you want to fight on the perimeter then you need to define where and what the perimeter is. Is the endpoint the perimeter i.e. is the user the perimeter? Is it not more likely that the business process is the perimeter, and the information itself forms part of the perimeter too. It is unlikely that you design your security controls with no base assumption on establishing a perimeter. The mistaken assumption we tend to make is that we have established controls at the perimeter and are therefore secure. Unfortunately for many types of threats, we could be very wrong.
  • Risk management applies – Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don’t always map to what the vendors are selling. Vendors focus on niche markets and individual issues so you will continue to buy their individual niche products. If you don’t have a clear picture of your risk profile and priorities, vendors are obliged to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their product portfolio.
  • Vulnerable People are more of a risk than weak software. – There are 3 areas to be considered where security is vulnerable; 1) software 2) weak configuration and 3) people. The lion’s share of the security market is focused on the so-called software vulnerabilities but not so much on the other 2 areas. The people factor is the largest uncovered area of risk. This is malicious code that doesn’t leverage a vulnerability but rather leverages the vulnerable person. e.g. downloading a dancing skeleton for ‘a spooky good time’ (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find software vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link (the user). And more attention needs to be paid in mitigating the other two ways beyond software.
  • Can Compliance threaten security – Compliance in and of itself is a good thing but it does not equal security. At the very least it’s a resource and budget conflict and it can split our focus. Compliance is there to raise and maintain the minimum standard of security, but in its weakest form, it only maintains the minimum requirements.
  • What is easy to measure is not always the most valuable – If you have 15 software vulnerabilities last month and record that 12 of them have been patched, is this a true reflection of your effectiveness. It is much harder to measure how effective end user training was to make administrators immune to social engineering attacks. You need to be compliant, but don’t allow your entire risk strategy to sit back and relax, based on it.
  • Vendor blind spots allowed for Storm – Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation. Storm and its controllers know and survive on this. They are making money out of everything from spam to pump-and-dump stock scams. 2. They seem to be able to eat antivirus techniques for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event. Go team!
  • Product v Process – Security protection has established itself as a huge professional business. “Technology without strategy is chaos”. The security market is too focused on the latest red hot top box or super scorching technology. The shear volume of security products and the rate of change has super-saturated most organisations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could “do it yourself.” But the simple days of Virus meets Antivirus are long gone. Highly effective organisations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best i.e. your business, the scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

The primary goals for executives is to squeeze cost, whilst maximising profit and reducing complexity. Today we are seeing a massive convergence in the security market. In a guard-dog eats guard-dog world there are soon only going to be a few big dogs left and a bunch of smaller mutts. Will the consolidation dogfight lead to better efficiency or will it lead to a vendor lock-in?

As company leaders and executives continue to squeeze and simplify, they will face many choices. Simply following the reduction of vendors by consolidation, may fail to meet their needs and balance their fragile cargo; cost, complexity and risk. Do vendors have a responsibility in this equation? Will they rise to the challenge? True risk management can show how and where you can adjust and prune appropriate solutions,

The key is using risk management methodology to drive responsible simplification of business processes and to take control of the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: