Is Security Broken? How I Propose to Fix It...

Wednesday, May 23, 2012

PCI Guru


Dennis Fisher has a blog post entitled ‘The Security Game Needs To Change’ out on ThreatPost. 

The premise of this post is that the practice of securing networks and applications is broken.  Then we have the CEO of RSA, Art Caviello, saying that security models are inadequate.

While I think Mr. Fischer and Mr. Caviello are correct in stating that security is broken, I think they have missed the point as to why it is broken and how to fix it.  Mr. Fisher quotes Jeff Jones of Microsoft’s Trustworthy Computing Initiative for his suggested solution.  Mr. Jones states, “What we really need is to get more smart people thinking about the problems we haven’t solved yet.” 

Really?  Anyone remember the episode of ‘The Big Bang Theory’ where the guys try to help Penny build the multimedia system from IKEA?  Talk about available brain power.  Yet rather than assist Penny with the assembly of the unit, they go off on a tangent developing an over engineered and sophisticated solution for a non-existent problem.

That is where I believe information security is at today.  We seem to be like Don Quixote, off on tangents such as understanding the motivations of the enemy, anticipating the next attack and other windmill tilting.  We keep trying to adapt military approaches to a problem being conducted in a very non-military way. 

In a true war, organizations would be investing in creating an offensive capability of cyber-armies to go into cyber-battle with the enemy.  And while there are discussions about organizations having offensive capabilities, security professionals are still in a defensive posture protecting the organization.

If we are going to fix security, then what we need is a serious paradigm shift.  If we will always be in a defensive posture, then the paradigm we should be using is the Fort Knox approach.  We focus on what information is important to our organization and go about the business of building a ‘Fort Knox’ to protect that information. 

Once we begin focusing our efforts on protecting our organization’s critical information, we will find that the rest of our security tasks become much easier.  After all, Fort Knox is predicated on a defensive posture, not an offensive one.

I am sure a lot of you are asking, “So doing all of this will perfectly protect my information?”  Not even close.  As I consistently say, security is not perfect and never will be.  No matter how much we try, there will always be people involved somewhere in the process and people are fallible. 

The concept is that if an incident does occur, you will recognize it quickly, stop it in its tracks and minimize its impact.  Will you lose information?  Hopefully not, but any information loss will not be significant because you recognized the problem almost immediately and dealt with it.

If you are frustrated with security, change your approach.  Until you do that, you will continue to have a broken security model.

Cross-posted from PCI Guru

Possibly Related Articles:
Enterprise Security
Information Security
Security Strategies Data Loss Prevention Cyber Security Attacks Security Cyber Offense Cyber Defense Cyber Militia Trusted Computing
Post Rating I Like this!
Ross Macdonald The message is clear - but there does not seem to be too much about a proposed solution ? One of the key principles to mitigate risk / damage in the event of a breach is that a local breach shold not lead to a global vulnerability. Ala RSA last year. A local breach should be contained and should be a one in a row event. So solutions that provide this feature should be encouraged - PKI, certificates, passwords all suffer from being persistent, hackable and repeatable. They all fail. A mobile solution that contains no persistent 'key' or token but uses a JIT approach that is unique to each session - is the way to go.
PCI Guru The solution is to do your job. Tighten up ports (internally and externally) and make sure that your monitoring is truly monitoring. Social engineering to get a beachhead is all the rage, yet internal networks have little to no security. As a result, once you're inside, it's open season.

Then there is the monitoring issue. I cannot tell you how many times clients have told me that their internal staff or their third party monitors saw my scanning or pen testing, but knew that's what it was so they didn't alert on it. Really? You should still alert and clear it.

At the end of the day, until things get more restrictive and people do what they're expected, we are going to continue to have problems and breaches.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.