August 05, 2007

Doom and Gloom spreads, security revisionism suggests "H6.5: Be an adept!"

The doom and gloom in the security market spreads. This time it is from Richard Bejtlich who probably knows his stuff as well as any (spotted at Gunnar's 1raindrop). After a day at Black Hat, the expensive high-end "shades of illegal" conference in security, he concludes:

  • Existing defenses are absolutely ineffective against current attacks....
  • Detecting current attacks in "real time" is increasingly difficult, if not impossible....
  • The average Web developer and security professional will never be able to counter these attacks....

Note how he includes the security professional in there. Yup. The problem is that the knowledge space has ballooned and nobody can keep up; Internet security is now a game that is way to broad for anyone to really cover it all.

Even before the current "war on everyone" you still had several problems with the security industry: lack of understanding of the business, which fed into poor choices being generally too expensive, and a tendency to "best practices:" purchased products because brands deliver CYA as well as high prices, etc etc. Over time, industry discovered they made more money if they didn't hand it over to security ... until 2003 that is, when phishing found its lure.

If then, you can't find someone to do it for you, you have to do it yourself. This is what I called Hypothesis #6 "It's your job. Do it." But exactly what does that mean?

#6.5 You need to be an adept in many more aspects

In all probability you will need to be adept -- well versed if not expert -- in all aspects, right up to user activity. This will stretch you away from the deep cryptographic and protocol tricks that you are used to as you simply won't have time for all that. But an ability to bridge from user needs all the way across to business needs, and then down to crypto bits is probably much more valuable than knowing yet another crypto algorithm in depth.

The FC7 thesis is that you need to know Rights, Accounting, Governance, Value and Finance as well as Software Engineering and Cryptography. You need to know these things in some depth not to use them but to avoid using them! And, more particularly, avoid their hidden costs, by asking the difficult questions about the costs that nobody else dare recognise.

Perhaps the best example was the decision by Microsoft to stop coding and start training all their coders in security practices. Not just some of them, all of them!

Where this leaves the conventional security professional is perhaps an open question. I would prefer to say that instead of prescribing solutions and sometimes supplying them, he would shift to training and guiding. This would involve a different emphasis: if you assess that an IDS might help, in the past you sold an IDS. Now, however, you would assess whether the team leader could cope with an IDS, pointed her in that direction, and mentored the assessment of the tool by the entire team. If they aren't up to that, then you have another problem.

Posted by iang at August 5, 2007 06:51 PM | TrackBack

way back when ... it was about designing & implementing systems/infrastructure to prevent bad things happening.
some slight (nearly 40yr old) drift:

now we have a lot of systems/infrastructures where it is all about attempting to recognize when bad things have happened ... and the basic systems/infrastructures are effectively recognized as extremely vulnerable ... and solutions are effectively done in terms of bailing wire and chewing gum.
(one might be tempted to say that things have severely regressed and there is little lore left anymore about prevention)

recent reference: If your CSO lacks an MBA, fire one of you

old buffer overrun post Buffer overruns

with these references
Microsoft Researchers Target Worms, Buffer Overruns
Microsoft researchers target worms, buffer overruns
Microsoft Researchers Target Worms, Buffer Overruns,aid,119891,00.asp

or this old post: Computer of the century

with reference to discussion of how to deal with some number of C-language related coding problems .... 90% of which wouldn't happen in various other programming languages.

passing reference at a assurance panel in 2001 to comment about m'soft holding up windows 2000

I remember in the early 80s ... where state-of-the-art had progressed to the point where work was going on ... not with regard to outsider attacks or straight-forward insider attacks (supposedly still responsible for up to 70percent of the fraud) ... but the state-of-the-art was "collusion" countermeasures .... i.e. organized groups of insiders attempting to bypass provisions preventing insiders from subverting the systems.

misc. past posts mentioning that early 80s security state-of-the-art focusing on insider collusion (i.e. having procedures in place for outsider attacks and the simple, straight-forward insider attacks) KISS for PKIX. (authentication/authorization seperation) Who or what to authenticate? A PKI Question: PKCS11-> PKCS12 Federated Identity Management: Sorting out the possibilities two questions about spki should you trust CAs? (Re: dual-use digital signature vulnerability) PGP "master keys" Interesting bit of a quote Interesting bit of a quote US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento MVS secure configuration standard MVS secure configuration standard More on garbage ABN Tape - Found Caller ID "spoofing" Value of an old IBM PS/2 CL57 SX Laptop Password Complexity The System/360 Model 20 Wasn't As Bad As All That Silly beginner questions

Posted by: Lynn Wheeler at August 6, 2007 09:51 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.