What is the state of information security today? Where do organizations stand in comparison to the attackers who are determined to compromise their information resources? What methods are working to protect information assets, and what trends should influence future security purchasing or deployment decisions?
These kinds of questions and more are addressed in the periodic security reports released by security companies on a regular basis. Cisco of course released its 2010 Midyear Security Report recently, and we have also seen the Verizon Business Security 2010 Data Breach Investigation Report and the McAfee Security Journal Summer 2010 issue, and many others. From reading these three reports, in particular, I picked out some similarities about the goings-on in the industry and what the next few years might hold.
Unfortunately, it appears that we will still have to deal with raising awareness about what is appropriate to send to the landfill.
Major Change in Industry
The central theme of Cisco’s Midyear Security Report was tectonic change in industry, and their implications for security. Mobile device proliferation, cloud and virtual computing, increasing collaboration and more are shifting the nature of where information assets reside, how they are used, by whom, and how they need to be protected. If enterprises do not adapt to meet these changes, they will be woefully unprepared for tomorrow’s threats.
Collaboration made everyone’s list this time around. Verizon produced their 2010 Data Breach Investigation Report (DBIR) in tandem with the US Secret Service. This public-private information sharing arrangement shed more light on statistics inferred by previous Verizon reports, particular on the nature of insider attacks (where the Secret Service is heavily involved in investigations). Such collaboration was repeatedly highlighted in the 2010 DBIR, with a key recommendation being that organizations strive to share more information about breaches and investigations:
[Y]ou could say that the success of our security programs depends upon the information we are willing to share.
McAfee, too, touted the value of collaboration. Not only was their report compiled from a series of brief articles from individual industry experts, and it explicitly featured an article about cooperation, but most of the topics centered around cooperative measures to overcome the advantage that attackers often enjoy. From “shunning” and “stunning” botnets or rogue ISPs to fighting spam, McAfee promoted the value of collaboration quite a bit.
The More Things Change, the More They Stay the Same
At the same time, Verizon noted that their DBIR data showed renewed support for practicing security fundamentals. 64% of breaches could have been prevented through “simple and cheap” countermeasures, and another 32% with “intermediate” level solutions — leaving a paltry 4% for difficult or expensive security controls. Regular log analysis, noticing trends in the enterprise, and proper privilege and access controls are by no means flashy or new, but they round out the major suggestions based on the characteristics from the analyzed caseload (pp 56-57).
For Cisco, this same sentiment came in the top three of five recommendations:
- Close gaps in situational awareness
- Focus first on solving “old” issues — and doing it well
- Educate your workforce on security — and include them in the process
For the moment, though the dynamics of the enterprise are shifting and the complexity of security requirements may be increasing, attackers are relying on the most direct methods to achieve results. And while Advanced Persistent Threats (APT) have gotten quite a bit of press, these kinds of attacks are as rare as they are sophisticated. And certainly, if an enterprise isn’t doing the basics well they most likely will not fare well against such a dedicated and proficient opponent. Bottom line: build a strong foundation of basic security controls and procedures, they are still quite valuable.
Technical and procedural advances should assist us in making great strides in security in the near future. McAfee spent a good deal of time talking about learning from attackers, particularly in penetration testing and code review through fuzzing. Cisco argues that a single security border is no longer effective, and the modern attacker is not facing defense-in-depth, but a much less comprehensive set of barriers. Learning to think like the attacker can reveal how much information is poorly protected, and where all of the various avenues exist to obtain valuable information assets.
New threat vectors, eroding boundaries, and sensational reports of embedded APTs may have led some to believe that we must meet these tectonic changes in the security landscape with an equally revolutionary security methodology: offensive security. For the most part, though, these reports are suggesting evolutionary change, reinforcing core strengths, and being mindful of how to apply sound practices to the shifting landscape. Like the landfill data disclosure mentioned at the beginning of this post, we will continue to face familiar challenges, though perhaps from more avenues and with more professionalism.
But offensive security will not necessarily be the best fit for many organizations. Indeed, even the term “offensive” may strike some as misleading, or inappropriate for this situation. Will the adoption of “offensive security” by an organization convey the correct message to business leaders? Could applying this term in an overly broad manner reduce an organization’s ability to adopt advanced, proactive defenses? Might an organization avoid code fuzzing, for example, because business or legal decision makers equate the concept of “offense” with actions like initiating a Distributed Denial of Serivce attack against the source of malicious traffic noticed by an IPS?
This is not to say that I disagree with the core message of McAfee’s report — I think that it will be important to raise the operating costs of attackers, to shift their risk-reward balance unfavorably, or to use advanced methods pioneered by attackers introspectively on our own software. But in addition to choosing terminology carefully, organizations may not necessarily need to head down the road of advanced techniques if they are still struggling to get a handle on the basics.
Focus on a strong foundation, and core strengths
As organizations like McAfee take steps to proactively engage attackers, enterprises might be better served to let them take on the costs of such specialized security, while the enterprises step up efforts to share information and collaborate with them. This will keep enterprise costs lower than if dedicating efforts to these specialized techniques, but provide a real benefit to those firms that are proactively engaging criminals on the front lines. Such collaboration can also give engineers exposure to advanced techniques and expertise from specialists that could improve day-to-day security operations without resulting in a full-time distraction from core responsibilities.
The temptation certainly exists for security professionals to shift focus to the excitement of these emerging security techniques from the measured and reasonable message that they must convey to counterparts and key decision makers in business. Good data, reasonable predictions, and creative new practices are a boon to the industry and a sign of its transition to maturity. But it is an industry of information assurance and risk management, where we should be prepared to continue operating carefully, simply, and with an instinctive repeatability.
With the data showing that most breaches could be stopped with consistent application of the “basics,” and data breach costs topping $200 per customer record, a simple and straightforward security foundation could save organizations like those dealing with up to 24,000 records exposed in the landfill disclosure $4.8m on that breach alone. Defending against these common and quite expensive risks should certainly be the priority.