6 hard truths security pros must learn to live with
- 29 April, 2015 04:38
Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.
The reality is that IT invulnerability is impossible at any price point. Instead, companies spend a major portion of their IT budgets on computer security defenses to prevent hackers from taking advantage of those same everyday vulnerabilities. The theory is simple: With enough layers of security, the bad guys will look elsewhere for easier targets.
It's a dirty little secret in the industry that no computer security solution really works as well as advertised. Every "guaranteed-to-stop, advanced-security system" is doomed to failure. The promised goal shared by vendors and IT alike is nothing but a pipe dream. Our best effort is all we can do.
The following six hard truths of IT security show not only why today's security solutions fall short but how we, as IT pros and an industry, can mitigate at least some of the inevitable fallout of imperfect security solutions.
Imperfect distribution of defenses
It's hard to lay down an infallible defense when you can't put your software on every device in your environment. Security solutions, by necessity, work on only a subset of platforms and versions, and this subset is always less than what the customer has. Some solutions don't support legacy devices and operating systems. Others fail to keep up with the latest OS and devices.
If one thing can be said about today's complex BYOD world, it's that the job of securing the network went from tough to impossible. Forget that security vendors don't support every platform. The base truth is that no one, not even IT, understands all the devices that are used to connect to your network. Is that a phone, slate, tablet, or subnotebook device? Does it run Windows, Linux, OS X, or a private OS no one on staff has ever heard of? Is it a physical or virtual asset? If it's a virtual machine, will it exist tomorrow? Is it running on a corporate host or on someone's portable device? Does it belong to us or a contractor?
Even for supported devices and platforms, device discovery and deployment are imperfect. You never get 100 percent of the devices scoped by your security solution, thanks to a myriad of issues, including network or site connectivity issues, blocked firewalls, offline assets, corrupted registries or local databases, separate security domains, and OS version changes.
Add to that the political and managerial roadblocks in what is often called the eighth layer of the OSI model. Management silos, business units, departments, and systems that get exempted by default -- even if you have a brilliant idea for securing company assets, you might not be able to deploy it.
As a result, IT security must live with the hard truth that some percentage of devices will never get the security software installed. At a bare minimum, it's important that any security solution be able to tell you which devices have successfully installed the software and which are having problems. Then you can look for commonalities and try to get the software installed on as many devices as possible.
But installing the software is only the first challenge.
Insufficient staffing for deployment and monitoring
Too often, companies buy a great computer security solution, then fail to deploy it appropriately, if they deploy it at all. Months are spent evaluating and arguing for a big security purchase that ends up languishing unboxed in a corner somewhere. Or some unfortunate, lone employee is told to deploy the new solution despite already being overloaded with mission-critical work that is considered their "real job."
The employee puts in a hero's effort to deploy what they can in a few days. They become a pseudo expert on the device and the threats it's supposed to prevent. They do their best to configure the device, and for the next few days or weeks, they put in a passable job of monitoring it.
Then their other mission-critical priorities take over. Pretty soon that cool new security tool is monitored less and less. No one has time to track down false positives, much less follow up on alerts. Not long after, the device is kicking out alert after alert, all of which gets lost in the noise of other poorly monitored security devices. The Verizon Data Breach Investigations Report finds that 70 to 90 percent of all malicious incidents could have been prevented or found sooner if existing logs and alerts had been monitored. It's little wonder given this prevalent, nearly inevitable cycle from deployment to disuse.
Computer security devices are never self-maintaining. They need the right teams, resources, and focus to even come close to their promise. Companies are great at buying capital assets, but they're afraid to increase operational expenses and headcounts. This means built-in failure. Don't set yourself up for it. Get a plausible staffing solution in place before you purchase any security technology.
Hackers need to find only one weakness
Suppose a company has 1,000 Web servers, and 999 of them are fully patched and perfectly configured. All a hacker has to do is fire up a vulnerability scanner and point it to the right domain name or IP address range -- game over. Scanning 1,000 computers takes only marginally longer than scanning one.
A typical vulnerability scan will bring back one or more vulnerabilities on every server, if not dozens of vulnerabilities. When the scan is finished, all the hacker needs to do is pick through the juicy results to decide where to exploit first.
This one-weak-link-and-you're-hosed maxim is nowhere more obvious than in malware campaigns via email. Send a malware-containing message to a large set of employees, and at least one person, no matter how smart, will open the email and blindly follow every suggested command. I've been involved in dozens of antiphishing education tests over the years, and in every case, a fairly large number -- between 25 and 50 percent -- of employees can be phished out of their credentials in the first round. While the conversion rate (as we call it) drops with each successive round of sending another test to those who have passed the prior trial, there will always be some portion of users that responds to every phishing attack.
The more complex your staffing mix becomes, the harder it is to shore up your defenses. Some of the biggest hacks in recent years have come from exploited contractors. One of the most damaging hacks, on Target retail stores in 2013, came from an exploited HVAC contractor.
Sometimes attackers can go right after your most trusted protection. In one of the most sophisticated attacks ever, an advanced hacker group compromised long-lauded computer security company RSA, using an attack centered on several pieces of old, unpatched software. Then they sent a malicious spreadsheet file, which helped them break in.
Forensics revealed that the users would have been prompted with no fewer than five messages warning that the content they were about to open could be malicious. In every warning instance, they had to choose a nondefault answer to bypass the warning, and in every case they did. Once the attackers got in, they stole the digital secrets to RSA's much trusted SecureID key fob and used what they learned to exploit their ultimate targets, which included U.S. military giants Northrop Grumman and Lockheed-Martin. Even if you have your security down pat, attackers will exploit your business partners and use what they find against you.
Even if you're perfect at detecting and remediating vulnerabilities, all an attacker has to do is use vulnerability analysis tools to "fingerprint" each of your operating systems and applications exposed to the Internet, then wait until one of those software vendors releases a critical patch. No matter how great a company is at patching, they aren't likely to patch assets faster than the attacker can make use of tools available within hours of the announced vulnerability.
Hackers can change tactics on a dime
Defenders, by definition, are reactive, and in the computer world, this makes us that much slower than attackers. It takes IT and the security industry about two to three years to sufficiently address a new threat. Attackers will have moved on to new or slightly different attacks well before then.
In the late 1980s when boot viruses were all the rage, it literally took years to get out the message that users should pop out their floppy disk before rebooting their computer. In fact, boot viruses didn't go away until the demise of the floppy drive. Now we have USB autorun viruses doing the same. Macro viruses hit us with a vengeance in the 1990s, and it took a decade to tell people to not open every file attachment, especially if it was unexpected. We're still trying to get people to understand that message.
All attackers have to do is slightly modify their techniques and they're successful again. For example, we warn people about fake antivirus messages, and they get fooled by a fake disk-compacting program. We warn people about patching their OS and attackers move on to popular browser apps.
Today, most attacks are launched from exploited websites. You're more likely to be exploited from a website you trust and visit every day than from a porn site. Now we're trying to tell people not to run the link or executable they've been offered in their browser window or not to give their logon credentials to people who send emails. I wonder how long it will take for us to effectively teach and learn these current lessons.
We haven't learned how to stop attackers from exploiting our PCs, and they're already moving onto our mobile devices. Nearly every threat we had in the PC world is being repeated in the mobile world. Worse, we're very bad at transferring lessons learned on one platform to another. It will only get worse as the Internet of things (IoT) accelerates. Smart televisions, cars, toasters, clothing -- everything will be targeted for attack.
Lack of focus on the right risks
But the biggest problem with computer defense may be the inability to appropriately prioritize competing risks. Some of the hundreds of possible ways to exploit a company are far more likely to happen than others. This makes for a huge gulf between your highest-rated threats and your most likely ones. Success belongs to those who focus their security efforts more often on the latter.
I frequently ask IT security personnel to list every computer security defense they're implementing at their company, the money spent, and the staff resources dedicated to each project and operation. I then ask them to tell me the most common ways their company is exploited. Rarely do I hear two answers that are the same. If the IT security employees don't agree on what's wrong, how can you efficiently defend your environment?
More often than not, the No. 1 problem is unpatched software, and the No. 2 problem is social engineering. In the case of unpatched software, it's usually only one to three unpatched applications, out of the hundreds you need to patch, that are responsible for most exploits by outsiders. But how many companies focus on patching those few applications perfectly, to the expense of most nearly everything else? Almost none.
If social engineering is the No. 2 problem, how come all user education programs operate on a shoestring budget? I've yet to see a user education program that truly, and routinely, teaches employees about the latest threats and how to avoid them. Most education programs are stuck in the past, offering solutions that would have worked moderately a decade ago.
Very few programs tell users what the company's real antivirus programs are or look like, so how can they be sure to avoid responding to a fake one? Very few programs tell employees that they are more likely to be infected by a website they trust, let alone remind them not to run unexpected executables from any Web page. How many programs inform employees of the most frequent exploits fellow co-workers fall prey to, and how to avoid them? If your program does, send me a copy, so I can say I know of one company that does it right.
No solution addresses the real root of the problem
Each security solution you buy addresses a particular set of threats on a particular set of platforms. Each tries (imperfectly) to thwart a certain problem sticking its head out of a particular hole. Meanwhile, the nimble hacker moves to the left and starts a new hole. It's a game of digital whack-a-mole that defenders will never win.
But behind each attack is a single basic problem that remains unresolved: pervasive anonymity on the Internet. Anyone can send you an email claiming to be anyone else. Anyone can send network packets that your servers will consider or pass along. Anyone can claim to be anyone, by default. This means that evildoers are harder to identify and prosecute. As long as this is the case, we will never defeat malicious hackers.
There are ways to get rid of pervasive anonymity without revealing everyone's true identity in every instance. There are many instances in which absolute anonymity should be guaranteed, as many forums and circumstances absolutely benefit by some or all the participants being anonymous. This is a basic truth of society.
At the same time, I would prefer to never receive an email from someone whose real identity hasn't been verified. Anonymous emailers too often indulge in mean and bullying behavior. I've received death threats for pointing out that Apple computers have more known vulnerabilities than Windows computers. Enter the terms "quits twitter" in your favorite search engine and you'll find copious incidents of people opting out of social media due to bullying or threats of physical harm to their family members. Being able to reject email from people whose real identity hasn't been verified may not eliminate that kind of behavior entirely, but it would seriously curtail it.
More than that, if we had a way of allowing various parties to easily agree on the level of anonymity allowed or not allowed in a particular transaction, Internet crime would likely plummet as well, as being able to identify and prosecute Internet criminals would finally become possible.
Of course, no single solution can fix this issue. It would take a concerted effort on the part of not only security solution providers but the Internet at large. But we all have ample incentive to take part in such an effort. Bandwidth free of denial-of-service attacks, spam a relic of the past, malware on the wane -- it can happen, when we focus on the right defenses.