Archive for February, 2011

Change we can believe in?

February 22nd, 2011 9 comments

Post-RSA, I’ve seen a lot of commentary about how people were disappointed that the conference didn’t reveal more “change” on the part of the security industry. The reasons for this vary – too many Guido-esque sales douches, booth babes with pink hair (!?), the NSA using booth babes (spelled: desperate), overuse of the words “cloud” and “GRC” and “cyber” and….well, the list goes on. All of these are valid observations. And hearing all this noise has brought me back around to a thought I’ve had in the last few months about the nature of the “security community” in general.

I think some people in this industry have forgotten that first and foremost, it’s a JOB. That’s right, as in profession, earning a paycheck, whatever you want to call it. For whatever reason, a good number of people seem to have elevated information security beyond this (in their minds) to a CALLING. Let me be the one to call bullshit. Please. There is absolutely nothing wrong with having passion about what you do for a living. I fall into this camp – I genuinely love security, for the technical challenges, the people challenges, the unwashed (literally, too often) masses at the conferences, and the social camaraderie in many cases, too. But too many are constantly expressing outrage at how we’re not changing. Changing what, exactly?

Should there be more of a focus on application security vs network security? Probably. A good post to get you thinking about this (loosely, granted) can be found on Gunnar Peterson’s blog. Within our industry, that’s something we can rail about. And we do. But this serves as a perfect example of two fundamental truths that seem to be absent in most of the “we need change” conversations. Here they are, with my thoughts:

  1. Security (especially at RSA) is a business. We have been talking for the last few years about “integrating with the business” in our organizations. I don’t care what business you’re in, the first rule of business is making money. And that’s exactly what the vendors are trying to do – make money. So they don’t really give a shit about what the echo chamber thinks – they use “cloud” and “GRC” and all the other buzzwords because they work. People buy stuff. Are they buying the *wrong* stuff? As a corollary, are we trying to solve the *wrong* problems (i.e. network vs app security, etc)? Maybe. But the vendors will go where the money is, and they’ll market their way to profits. If it upsets you, then you’re not really in line with “business” at all. Sorry.
  2. We, as an industry, have absolutely zero control of what our adversaries do. That means that our innovation cycles will always be behind the threats and attacks, and it’s something we need to adjust to. I know, I know, we all pay lip service to this, but the reality is this – the criminals are BANKING right now. So their motivation is really a lot higher than ours in many ways – they want to make huge money, and they don’t want to get caught. We, on the other hand, are trying to prevent data loss/theft and “protect” ourselves and our organizations. It’s a noble effort, true, but will never have the same urgency as someone trying to illegally make millions of dollars quickly.

So what kind of “change” will get us ahead of the threats? That’s really the point of #2 – how do we “change” to get there? I’m not a pessimist by nature, but right now I think this is the wrong thing to be focusing on. I think the RIGHT changes to make are absolutely mental in nature, as Mike Rothman so aptly tweeted to me. Two things we can do:

  1. Focus on doing the best JOB we can. Get off the “holy crusade” tip and go out and secure something. I’ve railed about this for a long time, but we’re all too fascinated by “breakers” vs “builders”, or at least “defenders”. If 99% of the security “community” spent their time fanatically focused on hardening their OS and apps, tuning IDS and other systems (behavioral and otherwise), implementing whitelisting with/instead of AV alone, etc. INSTEAD of worshipping the pen testers and exploit finders, we’d be better off. Let those folks do their thing. But the most good most people can do is by focusing on being the best defenders they can be. This is the mental change we need – do most lawyers, doctors, accountants, engineers, etc treat their jobs as a self-righteous soapbox all the time? No. And many of them are GREAT at their jobs. Less soapbox, more lockdown.
  2. At B-Sides SFO, a few of us were having a conversation about how we could really make a difference to the realm of security. And Josh Corman suggested going outside our own “community” to talk to developers and others. This is probably the best idea out there – they call it the “echo chamber” for a reason…we all talk to EACH OTHER about the problems. We need to go to the developer conferences and local group meetings, the VMware meetings, the SysAdmin meetings, etc. What about teaching everyone at a retirement community about using Facebook “safely”? Teaching elementary school kids about online safety? You get the point – we need to expand our reach. Go evangelize! Just do it to a group that isn’t security people.

This is likely not the only type of “change” we need. I’m certainly no prophet, and I rant in the echo chamber, too. And do pen tests, etc, as well. But it seems like all this disgust at a lack of “change” could be easily remedied by some outbound efforts into other areas, not directed at security vendors and each other.


Categories: Information Security, Rants Tags:

Revisiting “Security Biodiversity”

February 7th, 2011 Comments off

In the second half of 2003, Dan Geer, Becky Bace, Bruce Schneier, and several other well-known security personalities co-authored a paper entitled “CyberInsecurity: The Cost of Monopoly“. Back in those days, the most pressing issues related to infosec were primarily fast-moving automated or semi-automated worms and other malware variants, a deluge of spam, and the rapid onset of a nasty feeling that we were in way over our heads. Any of you that worked in infosec at a mid- to large-sized organization at the time, chances are you felt pretty damn overwhelmed at one point or another, if not daily. Dan Geer got fired from @stake for the position he espoused in this paper – namely, that  Microsoft was working to “lock people in” to the use of their platform, which created a huge single point of failure whenever a bug was found and exploited. At the time, it was estimated that 94% of people using computers were using MS Windows, and numerous examples abound of how devastating that could be, as Nimda, Code Red I/II, SQL Slammer, and numerous other worms hacked and slashed their way through these exposed, unpatched systems at an alarming rate. Here’s another good analysis of the paper, situation it caused, and infosec moment-in-time in general in The Economist.

Along the way, one of the terms that was used to describe the situation as Geer, et al. assessed it was “biodiversity” – namely, that our systems infrastructure was lacking in it. The analogy is simple – if all biological entities in a culture are somewhat homogenous (similar), then they are all likely susceptible to a plague or other devastating illness that could wipe them out. Interconnected networks of systems with the same degree of homogeneity could have the same problem, and this was borne out when the worm onslaughts came about. Fast forward to 2011 – where do we stand now?

The problem really hasn’t gone away. More folks are running Linux, Mac OS X, and other platforms, sure, but MS still has a healthy grip on the OS market. What we’ve gotten better at is the surrounding security – examples include better network access controls and segmentation, intrusion detection, and perhaps a smattering of patch and configuration management tools and processes. I am oversimplifying this in a big way (and MS started taking security more seriously, as well, which helps), but the original problem is still there….just masked a bit. Since I do a lot of work in virtualization and a bit in cloud computing, I started thinking about the underlying hypervisor components and layers of the infrastructure “stack” that could potentially lead to the same problem now and down the road.

Virtualization as a standalone technology, or as the basis for multi-tenant environments either public or private/semi-private (“cloud”, FWIW), emphasizes isolation and segmentation. Virtual network components can be kept distinct from others, additional controls and tools can be implemented to restrict traffic and interaction based on application behavior or other attributes, and virtual machines themselves can be limited in terms of interaction with the underlying hypervisor itself. However, a prevailing theme of network environments is one that echoes biological entities and their cultures – things like to be connected. People need other people and interaction, as do most sophisticated animals, and this seems to be the case in networks, as well. With cloud computing environments, the real hooks are the APIs that allow applications to be developed and run within those environments. On the back end, there’s a VERY good chance that these environments will be running on VMware, Xen, or Hyper-V (perhaps modified in some ways). Does this potentially create the same problem we had before? Does the exposure of those APIs leave the underlying hypervisor platforms exposed, and if so, will attackers start targeting these three vendors even more so than before? If the goal is to allow more connectivity, it seems to be a safe assumption.

Categories: Information Security Tags: