If these companies, widely lauded as having the brightest minds in their respective spaces were so publicly spanked, an obvious question raises its head?
Why wasn’t yours?
Sadly two of the likeliest answers to this question are equally uncomfortable.
a) you haven’t been compromised (yet) because people haven’t bothered
b) your company has been compromised and you just don’t know it
Brian Snow, former director of Information Assurance for the NSA said it best at a conference in Greece recently: “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of
your opponents”.
This is a difficult fact for most people to swallow. Especially after spending thousands on firewalls, hundreds of thousands on antivirus and possibly millions on security staff. A difficult fact for sure, but one that can be proven and is objectively true.
Hire any moderately competent penetration testing company to break into your network. I’ll bet you dollars to donuts they will break in before the ink on their proposal is dry. In over a decade of professionally breaking into companies around the globe, I can safely tell you that breaking in, is (almost) never particularly difficult. In most cases, it’s mind numbingly easy.
So why are we in such a horrible position? And why don’t we know it?
In part, it’s because computer security is a hard problem. Armchair pundits sometimes draw comparisons between information security and other scientific disciplines. “We are able to build bridges safely & repeatably and should be using scientific methods to keep our information secure”. It’s as if merely using the words “scientific methods” would magically make the problem go away. The truth of the matter is that when you build a bridge to cater for the vagaries of mother nature’s mood swings, she doesn’t change her game to catch you out. Computer security places people against sentient opponents who are highly motivated and highly incentivized to change their behavior in order to find a winning strategy.
This alone would be enough of a challenge, but it gets worse. It gets worse because technology is a force multiplier. We reap the benefits of this multiplication when a young company like Instagram is able to serve millions of people and generate billions in value with only 13 employees but stand to lose when this multiplier is turned against us.
(Some) Companies have always had secrets that need protecting. Traditionally, access to these secrets were revealed only as one progressed higher in the organization. This natural balance (mostly) worked since it tied the individuals future with the company’s future as the individual learnt where more bodies were buried. This changes however when the entry level sysadmin (or dba) has access to the same secrets at minimum wage. Sitting at his desk, your junior network admin is (probably) able to read the email of every highly paid exec in the company. The technology force multiplier works against us here and society hasn’t yet figured out how to handle this.
This will get worse. With the rise of Wikileaks, Jullian Assange was often quoted as saying “courage is contagious”. His thesis is that as more people stand up to speak truth to power, (even) more people would stand up to speak truth to power. Time will tell if this is indeed proven correct, but what has clearly taken place is a new awareness of the value of information. Today, thanks to wide coverage in the popular press, even the temp secretary filling in for Edna down the hall is becoming aware of the potential power he possesses.
If technology got us into this mess, can technology get us out?
Maybe someday. But one of the often unspoken truths of security is that large areas of it are currently unsolved problems. We don’t know how to write large applications securely yet. We don’t know how to secure entire organizations with reasonable cost effective measures yet. The honest answer to almost any security question is: “it’s complicated!”. But there is no shortage of gungho salesmen in expensive suits peddling their security wares and no shortage of clients willing to throw money at the problem (because doing something must be better than doing nothing, right?)
Wrong. Peddling hard in the wrong direction doesn’t help just because you want it to.
For a long time, anti virus vendors sold the idea that using their tools would keep users safe. Some pointed out that anti virus software could be described as “necessary but not sufficient” at best, and horribly ineffective snake oil at the least, but AV vendors have big PR budgets and customers need to feel like they are doing something. Examining the AV industry is a good proxy for the security industry in general. Good arguments can be made for the industry and indulging it certainly seems safer than not, but the truth is that none of the solutions on offer from the AV industry give us any hope against a determined targeted attack. While the AV companies all gave talks around the world dissecting the recent publicly discovered attacks like Stuxnet or Flame, most glossed over the simple fact that none of them discovered the virus till after it had done it’s work. Finally after many repeated public spankings, this truth is beginning to emerge and even die hards like the charismatic chief research officer of anti virus firm FSecure (Mikko Hypponen) have to concede their utility (or lack thereof). In a recent post he wrote: “What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.. This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we havn’t detected yet. Put simply, attacks like these work.. Flame was a failure for the anti-virus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
To add to our woes, it is obvious that we are growing increasingly more dependent on technology and that technology increases at an increasing rate. We have not yet learned how to write secure code but are pumping out more code than ever.. This isn’t likely to change, so are we doomed?
No.. Not necessarily. Part of the failure of the industry is that it tried to convince everyone that everyone was the same. That everyone had the same security concerns, and in an attempt to maximize profits that the same generic security solutions are capable of solving everyone’s problems. This lie allowed many to make millions but is also at the root of the growing disillusionment..
Not everyone needs to worry as much about getting compromised. Not everyone needs to care as much about their website being defaced. Even the bad press that follows public defacements is sometimes over rated (and often misunderstood). Security currently occupies this strange middle ground. A middle ground where people who don’t need to, often spend too much on it and people who really do need to often spend too little. Much of the spend that is made, is misguided and directed by what vendors have to supply (instead of what consumers actually need) resulting in the perfect storm. We spend a lot on solutions that won’t help, and don’t even realize how vulnerable we are.
We need more than ever to re-examine the promises made by our vendors, and increasingly need to hold them to account for failures. More has to be demanded, but this requires an active informed client (instead of one who is so willing to believe that the new super-solution will conjure our way out of this problem). The easy problems in infosec have been automated. What remains are ugly hairy problems that don’t (yet) lend themselves to simple answers. If a vendor offers you one, show him the door.
(This article was written for Issue 3 of Acumen Magazine by haroon. You should follow him on twitter here)
