Tuesday, September 11, 2007

What I learned... Part 1

The lights are out, the vendors are gone, the guest speakers and panels are silent... the conference is over. Now it's time to share what I've learned in the hopes that it will benefit you, my readers, and make us all better people.

So without further ado, here's the first and most important thing I've learned - We're going about this security issue all wrong! Before you hit the comment button to tell me just how wrong I am, keep reading.

In the last 2 days I heard some amazing stories about how people have gotten bigger budgets, patched faster, tested better, and secured more. What I absolutely did not hear is how much risk was avoided, mitigated or eliminated. None. Process that.

What I can honestly say is that we as security professionals solve problems as we see them. Remember the old addage, if you're holding a hammer, everything looks like a nail? This is so true in IT Security. We're approaching everything with our IT backgrounds, with our security hats on. Things are black and white, right or wrong, we either have a good practice or we don't. There is no gray area. Wrong.

If it's one thing that I think should have been driven home more than it was, it's that security is not black and white. It's all gray. It's not a matter of solving a problem. You're never going to "secure the end-user" or "secure a server"... unless you've cut the power and all other cords and encased it in concrete, then wiped the disks and all IP is eradicated. What we as security professionals should be striving to do, in order to function as an extension of the business, is lower/mitigate risk. If you've heard this already, and I'm preaching to the choir you can stop reading. If this is a new idea to you and the first time you're hearing it it's time to wake up. The last time we as security pros "solved" a problem was... well... when was it? Let me take a few examples and discuss the "measures we have taken" and how they have absolutely not solved the problem.

First up are viruses, on everyone's list since the early 90's.
  • The problem: viruses are constantly out there to destroy productivity and destroy the machine, steal data, or other malicious activity
  • Our solution: Anti-virus software on all laptops, desktops, servers
  • Why we failed: Quite honestly, viruses still exist, they still infect machines. Yes it's true they aren't as nasty as they were since we've put virus detection and remediation software in place, but viruses have only morphed into different forms, and continue to attack our systems. We haven't "eliminated the virus threat".
  • The risk-based approach/view: Due to the introduction of virus mitigation systems software on our systems, viruses are a controllable threat which is now for the most part effectively minimized as a threat. The key is that the threat is minimized and not eliminated.
Based on this example we should be able to apply the same principle to any number of business-problems. Try not to be holding a hammer. Let me take another example, and walk us through a risk-based approach, with a real-world example.

Let's make up a country, call it Elbonia (from Dilbert land). Elbonia has a population which has not yet been exposed to credit cards and credit like we have been in the US and is thus an emerging market for credit products. Elbonia has a store chain, called Elbonia-Mart which sells everything from watermelons to widgets, and wants to partner with a vendor to come in and offer credit so that Elbonia-Mart's users can afford to purchase some of the bigger-ticket items on credit such as televisions. Keep in mind these facts: Elbonia has no credit reporting agencies, no good way to track users identities like the US Social Security System (although that is arguably flawed), and Elbonia is ultra-low-cost when it comes to implementing solutions. You are now faced with a problem. Credit card applications are being processed on a computer which is set up on a 56k DSL VPN to the corporate DMZ for credit decisioning online, the terminal then prints out the application and "temporary shopping pass" when a user is approved for credit. The problem is, these terminals are not up-to-date on personal firewall, virus protection, or patches so they are out of compliance with the corporate standard the vendor (your employer) has set out. What do you do, what problem do you solve and how?

If you're like a very large percentage of people in our industry - you immediately start to solve the issue of patches, personal firewall and anti-virus updates to these low-bandwidth relatively insecure PCs. You fail to do a proper risk assessment and your efforts fail. I'll explain why even if you do manage to get these machines "secured" to corporate standards without over-spending you've failed.

Re-read the section above where I discussed the parameters of Elbonia. There is no credit agency, there are no national identities. While the first thing we think of is to protect the terminal against identity theft and data theft think again. Why would I, as an organized criminal, attack the terminal to steal someone's identity? I can just as easily make one up! Furthermore, why not just walk by and pick up the stack of printed applications (paper is our enemy) which are there when the sales guy is distracted? These two methods will immediately circumvent whatever digital security measures you've put in place, if you went that way. A proper risk assessment would have told you that (a) identity theft is not a problem, and therefore not something to deal with in the immediate future, and (b) paper should be eliminated quickly too! After doing a proper risk assessment, you would may very well have simply decided to take the relatively simple step to either eliminate or secure the paper copies, and call the project done and monitor further for other signs of malicious activity. You've just saved your business money - and what's better, you've proven to your business people that you understand what the real threat is.

In a nutshell, this is the most important take-away from this conference. We're solving problems without fully understanding the situations, without fully analyzing the situation from all sides, and in an "IT vacuum"... that is, without talking or understanding the business model and drivers behind these issues.

The lesson? Known the risks. Understand the full threat. Talk to your business and understand that security is not black and white... it's [your] gray matter that makes it work.

1 comment:

Alex said...

Very, very refreshing. It's always very nice to read about that "get-it" moment when security folks start to understand risk.