Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Security basics: definitions of threat, attack, and vulnerability

Often the terms threat, attack, and vulnerability are interchanged and misused. Each is defined here.

Definition of threat: the expressed potential for the occurrence of a harmful event such as an attack.

Definition of attack: an action taken against a target with the intention of doing harm.

Definition of vulnerability: a weakness that makes targets susceptible to an attack.

Excerpt from CISSP Guide to Security Essentials, chapter 10

Vulnerabilities, threats, and risk in a chess metaphor

Even for security professionals it’s sometimes tricky to properly think about the terms vulnerability, threat, risk, attack, and exploit.  It can be harder yet to describe these concepts to someone who is not a security professional.

In this excerpt from our upcoming book, Biometrics for Dummies, we explain these terms within the metaphor of a game of chess:

“Before we go any further, let’s look at the meaning of the terms threat, vulnerability and risk. Over the years we’ve found these terms to be used interchangeably and incorrectly. As with any industry jargon, these terms are tossed around and used by people who do fully understand their meaning, and by those who think they do — but don’t really.

* Vulnerability: a weakness in a system that may permit an attacker to compromise it.
* Threat: a potential activity that would, if it occurred, harm a system.
* Risk: the potential negative impact if a harmful event were to occur.

The terms vulnerability, threat, and risk can be visualized like this: Imagine a game of chess, where one player has a very weak position, and the other player has a very strong position. The player with the weak position is unable to protect his king — this is a vulnerability. The weak player’s king is vulnerable to attack – a position of high risk. The strong player has powerful pieces (such as a queen, bishops, and rooks) that are in low risk positions to easily capture the weak player’s king — this is a threat.

And while we’re at it, there are some other words we should discuss:

* Attack: the act of carrying out a threat with the intention of harming a system.
* Exploit (verb): the act of carrying out a threat against a specific vulnerability.
* Exploit (noun): a program, tool, or technique that can be used to attack a system.

Using the chess analogy again, the strong player could attack the weak player, exploiting his vulnerability to capture his king. The strong player’s method of attack would be known as his exploit against the weak, high-risk player.”

From Biometrics for Dummies

Going public with website vulnerabilities that expose credit card numbers

I am a customer of an international company whose logo is highly recognizable and whose brick-and-mortar services I use frequently. I pay for these services by credit/debit card on their website. I noticed two months ago that the website has a vulnerability that exposes credit card numbers through form field caching, which means that public-access computers could expose credit card numbers (and security codes) to others.

I have contacted the company three times in the past six weeks. Their website makes it impossible to know who their security people are or which continent they work on (this is a company that has presence in over 100 countries). I have written the press office three times. None of my communications have read by a human, as far as I can tell.

I will be giving them another week or two before I go public. I’ve told them so in every way that they make available. After telling them almost two months ago, I logged on today and the vulnerability is still there. It is SO easy to fix – it does not require any changes to their data model, workflow, or processes. All they have to do is add an ‘AUTOCOMPLETE = “off” ‘ to two fields in one form and they’re done.

As a security professional I am duty-bound to inform this organization. I’ve done so many times, and have not heard any response. If they continue to turn a deaf ear, I will go public in April.

Skype “forgets” (?) to inform users of critical security patch

Submit:

I love the Skype service, in part because I believe it is far more secure than other IM services. Skype is an eBay company.

This week, Secunia released a “highly critical” advisory on the Skype service, recommending that users upgrade to the latest patch version.

Skype was silent on the matter. They did not inform their customers. Why?

This and other recent events suggest either a policy of non-communication to users, or management ineptitude along the same lines.

Skype does not communicate with its users when there is bad news to communicate. Instead, they go dark. In a world where quality includes good customer service, it is simply amazing to me that they have established such a strong track record of turning their back on their customers. Company spokesman Villu Arak apologized for the most recent blunder. “We strive to inform the public of vulnerabilities and malware that may affect Skype software,” Villu Arak on Skype’s security blog on December 10, 2007 (really??). “While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public’s attention. All we can do now is to apologize.”

Skype needs to do more than apologize. This has happened too many times. While we can forgive companies for a single mis-step, this is just another example of Skype choosing silence over giving bad news. Earlier incidents:

Skype service restored but executives still in hiding

Skype: not one disaster, but two

I have no personal vendetta against Skype. As I’ve stated, I love the service and regularly recruit colleagues away from MSN, Yahoo, and AIM. And I don’t know anyone who works at Skype: I don’t know their names, their nationalities, or what they believe in. But I am disappointed in their corporate behavior when it comes to communicating with their customers. Are they pretending that difficult problems will just go away if they don’t communicate news to their customers?

My level of trust in Skype’s corporate integrity has fallen significantly. What other bad news are they choosing to keep to themselves?

On the contrary, things will get worse for them. Is anyone at eBay paying attention?

http://www.networkworld.com/news/2007/121007-oops-skype-forgets-to-tell.html

Graphic from samLown.com