Let’s start with the short version of the answer – use your common sense before reading vendor collateral.
I think PT Barnum once said “There is a sucker born every minute” in the famous Cardiff Giant hoax – (although some say it was his competitor, Mr. George Hull.
Kachina Dunn wrote how Microsoft got security right. No Joke, Microsoft Got This Security Question Right.
The gist of the post is that the Microsoft UAC-User Account Control feature in Windows Vista was deliberately designed to annoy users and increase security awareness; which is a good thing. The post got me thinking about the role of security vendors in mitigating data breach events.
Ms. Dunn quotes Carl Weinschenk in an online interview of a security vendor (Mr. Weinschenk is a professional journalist colleague of Ms. Dunn on the staff of IT Business Edge):
“Positive Networks surveyed IT security pros at small companies and enterprises, 20 percent had experienced a personal data breach — and 20 percent had also experienced a data breach in their companies. The consensus among those IT pros was that stronger security, specifically two-factor, was necessary but not present within their IT departments. And the breaches just keep happening.”
Data breaches just keep on happening
Of course data breaches keep on happening because data vulnerabilities continue to be unmitigated.
Most security breaches are attacks by insiders and most attackers are trusted people that exploit software system vulnerabilities (bugs, weak passwords, default configurations etc…). Neither security awareness nor UAC are effective security countermeasures for trusted insider attacks that exploit system vulnerabilities – premeditated or not.
Two-factor authentication is necessary
As a matter of fact, two-factor authentication is a not an effective security countermeasure for internally launched attacks on data performed by authenticated users (employees, outsourcing contractors and authorized agents of the company).
It is understandable that vendors want to promote their products – Positive Networks and RSA are both vendors of two-factor authentication products and both have vested interests in attempting to link their products to customer data security breach pain.
Unfortunately for the rest of us, the economics of the current security product market are inverse to the needs of the customer organizations. Security vendors like Positive Networks and RSA do not have economic incentive in reducing data breaches and mitigating vulnerabilities, since that would reduce their product and service revenue.
Actually, in real life – the best marketing strategy for companies like RSA, Positive Networks and Symantec is to stimulate market demand with threat indicators and place the burden of proof of effectiveness of their security countermeasures on the end user customers. If the customers don’t buy – it’s their fault and if they do buy but remain vulnerable, we can always blame overseas hackers.
White listing applications is an effective tactic
At last year’s RSA conference, Microsoft officials spoke of layering “old-school (but effective) offensive tactics like white-listing applications”. White-listing a vulnerable application doesn’t mitigate the risk of an authorized user using the application to steal data or abuse access rights.
One would certainly white list the Oracle Discover application since Oracle is a trusted software vendor. Users with privileges can use Oracle Discover to access the database and steal data. Since Oracle Discover generally transmits the password in clear text on the network, we have an additional vulnerability in the application.
Application/database firewalls like Imperva do not have the technical capability to detect or mitigate this exploit and therefore are not an effective security countermeasure.
None of the vendor marketing collateral and FUD, riding the wave of compliance and Facebook, IT security franchises built around standards like PCI DSS etc are replacements for a practical threat analysis of your business.
Your business, any business, be it small, medium or global enterprise needs to perform a practical threat analysis of vulnerabilities (human, technical and software), threats to the most sensitive assets and ascertain the right, cost-effective countermeasures dictated by economic constraints.
Cross-posted from Israeli Software