Security Experts:

Awesome Security: Precision Counts - Why Being Vague is the Enemy of Security

Specifics are Critical to Understanding the Threat, Responding to It, and Assessing The Impact...

Some people have “swear jars” in their house. Cuss and you pay a quarter, which is the same price per profanity that it was back in the 70s, when I was growing up. It went up to a buck when the economy was good, but with austerity and the fiscal cliff, it seemed unfair to not adjust the swear penalty to keep pace with the market index.

Today I have an “awesome” jar. Everything nowadays is awesome: I just heard an awesome song on Pandora; awesome Christmas lights on your house, dude; it’s so awesome that your test came back negative. Argh. I cringe whenever the word squirts through my lips inadvertently, like a bar of soap through my hands. A hair covered bar of soap.

Awesome SecurityAwesome is a fine word when used appropriately and sparingly. However, it’s become the de rigeur response to just about everything, rendering it practically meaningless--it’s a generic positive affirmation--and conveys a sense of vapidity on the utterer.

But it also says something about us as a culture. We often succumb to group think and adopt banal memes, whether verbally or conceptually--or both. An example from the security industry is cloud computing.

Survey after survey finds that one of the major roadblocks to widespread adoption is concerns about security. And yet we talk “cloud” without defining whether it’s private or public, and whether it takes the form of IaaS, PaaS, or SaaS. I’m betting many organizations who claim they’re delaying adoption because of security concerns are already using “cloud” in one form or another, whether it be Salesforce.com or virtualization of internal assets. The only real way to determine the risks of adopting virtualized services is to define exactly what we mean when we’re discussing a specific opportunity and associated risks. Hosted email? Transferring hard assets for virtual servers hosted by an external provider? Are you planning on being the customer or provider, creating virtual hosting for inter-agency or inter-departmental use? What data are you planning on migrating to the new environment, who owns it, who uses it, what’s its sensitivity?

Inexact words and concepts cripple our effectiveness in social pursuits. Lawyers are drilled in the (often excruciatingly) precise use of language. Legislators, largely composed of lawyers, create laws, which codify human rights. Security is concerned with protection of those rights, such as the right to own property and protect it from theft. In some cases we may even be involved in the enforcement of laws.

As a consequence, it’s incumbent on us as security professionals to apply rigor in our definitions of problems, the impact of threats, the defensive countermeasures: every facet of our duties. Referring to “The Cloud”, “APTs”, “Defense in Depth”, “Big Data”, “BYOD” hamper our ability to clearly articulate the exact properties and application of the concepts.

If cloud computing suffers for lack of tangibility, APT strings together three words with definite meanings, and was coined to accurately capture the nature of the threat. Just as awesome has a clear and precise meaning; both it and APT have become ambiguous with overuse, and metastasized into catchalls. APT is often used when in fact the attack was neither advanced nor persistent, as in the case of many SQL injection compromises. Worse, APT has taken on an informal meaning that the attack is so sophisticated that it cannot be stopped by mere mortals. As my colleague at the Institute for Advanced Security, Peter Allor, points out, APT is starting to take the form of an excuse for defenders.

Taking APT at its original meaning, it still only broadly defines a category of attacks, yet provides no specifics. When faced with claims of an advanced persistent threat, the appropriate response is to ask for details. Does the claimant mean spear phishing to get the subject to click on a malware-infected Acrobat file? A six month compromise that started with a SQL injection attack, progressed through cracking passwords and gaining access to the subject’s email, and eventually social engineering an administrator to open access to the attacker? Or maybe Trojaning third party software known to be used by the eventual target?

Specifics are critical to understanding the threat, responding to it, and assessing impact.

BYOD presents another challenge to comprehension. The term is well understood: employee use of their own computing devices to conduct business; however, we don’t fully define what the security risks are, just that they are myriad and grave. We talk about employee-owned devices as being a wide open conduit into organizational resources, bypassing the firewalled perimeter like so many marauders with tiny ladders and shovels. We fret over millions of records of sensitive data -- PII, ePHI, IP -- being siphoned off smart phones that have been infected by the newest mobile Trojan. We concoct as-of-yet fictional malware which can leap from Android to iOS to Windows and sniff out sensitive data like an anteater on Ritalin. Yet the largest organizational footprint on most mobile devices is corporate email, a risk that’s not new, and is well understood. I had email on my black and white Treo, protected by Good Technology, ten years ago. While MDM, remote wipe, and mobile device virtualization to separate personal from business data are important and useful, they’re broad security measures that don’t address specific risks. (By which I don’t mean the follow-the-threat approach of taking off your shoes to board an airplane; but rather a follow-the-data strategy.) Until we define those risks, I’m inclined to view the risks as primarily targeting the individual, which is where the greatest opportunity is for criminals and hacktivists, rather than the enterprise.

Security is both a feeling and a reality, as Bruce Schneier points out. We tend to underestimate risks in situations we control, but inflate risks in situations in which we have little or no control, so it’s no wonder “Cloud”, “APT”, and “BYOD” scare us. You can’t control what you can’t define. The thing is, when you break down many of those terms into specific technologies, processes, and/or threats, we can assimilate them into our existing base of understanding, make rational decisions, and craft sound security strategies.

The expression goes, “perfect is the enemy of good”; I submit that vague is the enemy of security.

Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.