Infiltrated dot Net

Security - Stupid is as Stupid Does
Written by Jesus Oquendo   

Companies in the news for security breaches are now benefiting from their newly found hindsight via way of a lack of security point of view. These views come at a highly expensive cost and it should come as no surprise that many companies will continuously and gratuitously benefit from those views. The reason I believe this is because companies just don't get it. At the cost of millions of dollars spent post compromise, companies rush off to apply band-aids where sutures are needed. Anyone with a connection to the Internet who has viewed any form of news site in recent weeks have come to know their names: RSA, Sony, Nintendo, L3, Northrop and the list goes on and on.

Where do these companies go wrong? With so much already being spent on security - firewalls, Intrusion Detection Systems, Intrusion 'Prevention' Systems, Intrusion 'Tolerance' Systems, Data Loss Prevention, *Certified Security Professionals*, standards, guidelines, and the list goes on - where and why are these companies failing? The answer if you ask me, most companies and or security professionals quite simply do not care about the real world of risk. It is much simpler and economic in their minds to pass the buck by simply making sure they "followed the rules." This means, they tend to establish a "baseline" for a security model usually based on guidelines such as NIST and others. We must bear in mind however, "By definition, following a guideline is never mandatory" [1]

In a "tangible" world where a product is purchased, a buyer physically touches a product, whenever that product has an issue, companies responsible usually issue recalls. This was the case with Toyota whose cars were recalled because they were faulty. On the Internet however, there is little recourse for companies who are compromised. Usually a small portion of those disaffected will mumble and groan and continue to use that product. This is definitely the case of companies like Citibank who was compromised recently [2] and Bank of America who continuously gets compromised quite often [3,4,5].

Unfortunately there is no immediate cure for security woes however, there are real world mechanisms to minimize even reduce the risk to numbers not even mentioned in most guidelines and or certification books. The problem with these cures are, too many security managers and C-Level types truly don't care to implement them. It seems to be "wasted dollars" for security managers and C-Level types since they cannot measure ROIs on voodoo metrics. You know those voodoo metrics well, they are usually cleverly scrawled across every security management level certification you could find: ALE = SLE x ARO or ROSI = R - ALE, where ALE = (R-E) + T. Too many security charlatans have flooded the security arena with this nonsense for too long.

Can we state that Citi, BofA, L3 and others never used these metrics? If they state that they did not, they would be hurting their reputation. We can infer that the outcome of these metrics are useless and this is as obvious a statement as "tomorrow is another day." So how do does the security industry change this backwards approach to security while keeping costs low, and security measures high? Simple, take a different approach to security as a whole.

In a recent case, [6] a judge ruled that a bank was not responsible for fraudulent transfers made from an account. In this case, both the bank and the customer lose; the bank loses a customer, the customer loses their money. Case closed. However, imagine if the bank had a validate policy in place where any transaction over N amount of dollars needed to be validated over the phone? Extrusion prevention. Customer would have likely been notified, and no transaction would have been allowed; bank wins, customer wins. The cost for something like this is far less than the cost associated with higher insurance premiums for the bank, loss of customer confidence and so on.

In other instances such as say the Sony compromise, the cost of securing that network would have been far less than the estimated $170 million [7] they dished out. The existing approach to security however would have still likely led to a compromise. This is because companies are looking at security as: "build a bigger wall, add a moat, throw sharks in the lake." What they fail to see is that most of the existing attacks are not "coming through the front door." Many are client side attacks [8] where an attacker is leveraging a machine already inside of a network in order to burrow out a trusted network where the attacker can then control that machine. How do you defend against this? It is just as simple as defending from the other side of the "wall." You build mechanisms to inspect what is leaving your network. Disgustingly simple isn't it?

Ask any security manager or C-Level why they won't apply this and you are likely to be bombarded with a hodge-podge of voodoo metrics: SLE = EF x AV x CTM or ROI = ALE - (( ALE - (ALE - ALE2)) + T ) in other words, covering one's ass is far more important than actually getting the job done right. This is all that security has boiled down to. Those responsible for this mess are usually those who have never been "in the trenches" so they understand "paper security" versus "real world" security.

The cost of implementing extrusion detection and extrusion monitoring come far less than the cost of a compromise. That statement is mere common sense and I should not have to create any crafty metric or algorithm to prove this fact. Do you think I could have accomplished extrusion prevention, SIEM and so on at Sony for say $17 million for Sony? Darn right I could in fact, pricewise I could have likely come in under the $5 million mark, 3% lower than the cost of a compromise with greater ROI or ROSI (take your poisonous acronym pick) at the end of the day.

So when will security managers and C-Level professionals get a clue and do the right thing? My guess is they will not. It is likelier that they will continue to follow the herd [9] and paint fuzzy pie charts filled with wondrous metrics that yield little at the end of the day. Companies will still get compromised, few will grumble and moan and security will get back to business as usually as opposed to actually defending anything.


Got Root?