Security isn’t Binary. The Trick is to Find the Breakeven Between Expenditure of Resources and the Point of Diminishing Returns…
The war on drugs, the war on terror, and now the war on hackers. The pundits, which is to say the mouthpieces who get the prime air time, declare that we’re losing all three, their faces pinched to exude the utmost gravitas. The point has been made many times: neither the war on drugs, nor the war on terror are wars; you can’t bomb either out of existence.
I envision the words “terror” and “drug” fading to white in my dictionary when Osama bin Laden and Pablo Escobar were assassinated. But that’s fantasy: we’ll never eradicate drugs, nor terrorism, and there’ll always be someone who wants to compromise your systems.
If I have to sit through another presentation on information security that opens with the canned two or three slides peddling fear, uncertainty, and doubt, I’m going to launch myself across the table and unleash my own brand of FUD on the speaker. It’s not the bad guys who are winning, it’s the alarmists.
Despite the claims, we continue to make progress with information security. Overall I’d rate us a B+, with the note, “With a little improvement, Junior is on track for an “A” next semester.”
The evidence is that we’ve forced the adversary to adopt new, more complex techniques to breach our systems. For the most part they’re compelled to take their attacks out of the realm of computers and networks, and hack the human before they can compromise our systems. Social engineering is now a component of all but the most pedestrian attacks.
If you’ll indulge me in using the model of Infrastructure, Applications, Data, and People, as the facets of our attack surface, we’ve pretty much covered the first. Firewalls, IPS/IDSes, and endpoint protection are all doing a decent job of keeping the outside-in compromises to a minimum, at least in enterprises (small and medium business, as well as home users, are all over the map on security.) Scan-and-attack compromises are rare, with the exception of SQL injection, web applications like content management systems (CMSes), and exposed systems with poor security controls, like industrial control systems, web cameras, etc.
The bulk of attacks are now launched against client systems, usually exploiting vulnerabilities in applications installed on workstations. Adobe Acrobat had long been a vector of choice, largely because it’s ubiquitous and reading documents is still considered benign by many non-technical end users. Adobe has stepped up the security of Acrobat by introducing sandboxing into the product, making it much more difficult to compromise—though not impossible, as the purported 0day claims.
Then there’s Microsoft Office malware, a heavier weight variant of attacks against PDFs, affecting even Macs. A series of flaws in the Java runtime are promoting it to the new favorite tasty target, in part because it’s a cross platform hole. In fact, the exploit that stirred up the Apple community by infecting an estimated 600,000 Macs, the Flashback malware, worms its way in through Java. And let’s not forget the ever popular fake anti-virus, as well as cross-site scripting (XSS) and its cousin, cross-site request forgery (CSRF).
Ultimately, the data itself is the target, and the infrastructure, applications, and people are a means to get to it. While criminals, competitors, and spies seek to steal, destroy, or hold for ransom, your data, exploits like DDoS attacks attempt to deny access to it. Spear phishing with attached or linked malware, poisoning watering holes, and sprinkling USB drives in a parking lot all attack the human vector. There’s no question that people are hardest to control: unlike infrastructure and applications, which behave predictably for the most part, with the exception of software bugs and vulnerabilities, people behave in unpredictable ways, sometimes in conflict with their own best interests. Security awareness training is only marginally helpful, and there’s a whole debate on the subject, so let’s not tackle that one for the moment.
Instead, let’s agree that we’ve taken the infrastructure hill. It’s been secured. That’s not to say it won’t’ be exposed again; attackers evolve their tactics, the same way the enemy will try to recapture ground in kinetic warfare. Let’s plant our flag and move on to the next combat zone: applications.
Report after report finds that SQL injection is still the primary compromise vector after many years. We know how to stop it; why aren’t we getting the job done? There are a couple of well-known lists of steps to take to protect yourself against the biggest threats, the SANS Top 20 Critical Security Controls and Australian Department of Defence Signals Directorate (DSD) Top 35 Mitigation Strategies. They’re intended to be short lists, but also try to cover a lot of ground. In my view they end up more like a rollup of many regulations and compliance guides. That is to say they’re both good roadmaps for security, but sometimes you just need to assemble a task force and clear out a few tactical controls that cover a wide swath of ground. To that end, here’s my hot list of application security controls:
● Find all your publicly facing applications. Scan your external networks. Talk with finance and find out who they pay for hosting services on a recurring basis, including SaaS. Talk with the folks who manage your DNS and use external IP addresses to discover assets you might not know you had. Use Shodan.
● Test those applications. Use automated vulnerability assessment tools; consider using more than one. Penetration test the systems, not just high value ones. Often vulnerabilities in low value targets are used to gain a foothold, perform reconnaissance, and eventually penetrate high value systems. Monitor those systems for suspicious activity.
● Fix vulnerabilities in CMSes. Lack of input validation is one of the most prevalent coding errors.
● For vendor supplied software, exercise your right to audit them and/or provide you with proof of source code auditing by an expert third party. For large enterprise, this right is probably already written in the contract with the vendor, unless it’s a giant company providing commodity software, like Windows.
● Decide whether you need the application after all. I’ve seen too many carefully designed DMZs evolve into a New England farmhouse, with applications that don’t fulfill their promise and fall into ruin, their only function to provide a hole for evil to crawl through.
● Enforce configuration management. Create a secure baseline, use it in mandatory system build procedures, and monitor systems in production with an automated configuration management tool.
● Patch. Setup alerts from vendors and threat advisory services. Use a news aggregator to keep up with threats. Respond by patching or disabling vulnerable services.
With just that level of effort we can fend off 80% of infrastructure and application attacks. Remember, security isn’t binary. We’re not “secure” or “exposed”; we’re always at a point along that continuum. The trick is to find the breakeven between expenditure of resources and the point of diminishing returns. When you cross that line onto the long tail, move on.
But not forever. As I mentioned, it’s not a war; instead, it’s more like law enforcement. Once you capture territory and reintroduce the general population, the war is over and you enter an era of defense and peacekeeping. A productive society will change the landscape, building new districts for commerce, razing residential areas and erecting new ones. Our information infrastructure has now expanded to include cloud and mobile. We have to take one step back and figure out how to introduce these new elements and still defend the data. There’s sure to be another battle as a result.
Eventually we have to tackle the data and people problem, and we’ll deal with that another day. For today let’s get declare our wins and expose the despicable defeatists for what they are: hysterical fear mongers.