Security guru Bruce Schneier has renewed his attack on the IT security industry. A record number of attendees is visiting this week's Infosecurity trade show in London but nobody is buying anything, according to Schneier. "Buyers don't understand what is being sold. That's why the security industry as a standalone entity is …
with the way data protection is ignored security is going to become a big issue. How is it dying? I took the guys coat that was unencrypted and virus riddled.
Is he mad?
"He reckons that as the IT security industry matures there will be a greater demand from customers that products and services simply work"
I'm sure there will, just as the Great British public demand better services and lower taxes...but it 'aint gonna happen in my lifetime.
Infosec is mostly voodoo
I'm not suprised that customers are confused by infosec, and hesitant to buy infosec products. Our company provides application hosting to fortune 200 corporations, and every single corporation has a varying degree of "questions" about security. Some have a 10 page document, others have a 100 page document. Some insist on an having our environment reviewed by an infosec specialist, others have no interest. This itself is par for the course. However my experience with the InfoSec personnel seems to be more on the side of voodoo and finding "something" to report back as wrong with our environment.
With every specialist who has walked through -- some are employed by the customer internally, others are outsourced -- they generally find one or two nitpicky things that need to be changed. No one group has come in and said "here are 50 things wrong with your site." The list is usually one or two items. We address the issue, and move on.
For example, when we first started this project 2 years ago, the first InfoSec guy scanned our internet facing portal and said we needed to disable ICMP/Echo-Reply. Done. The next group scans our servers and insists we disable HTTP since our product is HTTPS only. Done. The next group scans our servers and insists we disable obsolete HTTPS encryption protocols like SSL 1.0. Done.
Other times, they find issues with the physical security of the site. One guy came through, and insisted we get security cameras on the the main doors to the suite. We complied. The next guy comes in and says we need to put a plastic tint on the window because you could visually see some of the server screens through the front door glass. Done. The next guy comes in and says we need a security camera focused on the datacenter itself, and that the security cameras on the front and back exits are not enough. Done. The nexy guy comes in and says we need a security camera in the wiring closet where the DMARC is. We are in a leased suite so the DMARC is not inside our suite, it is in a locked common area outside the suite. We complied, and added a camera to that location as well.
Finally, there is the "documentation". Over the months, every security guy comes through and asks us for an additional type of documented procedure. Initally it was our DR procedure, or our password-reset procedure. Next, it is our hiring procedure. Or our security-event-escalation procedure.
Each time a request is made, we comply with the request, and the security "expert" is then happy, returns his 50 page report to the customer, outlining all the things we do right, and the 2 things we did wrong, and how we resolved the issues. With each iteration, our security gets better, but it makes me ask the question -- why did the first security "expert" not report all these things on day 1? The answer is obvious to me -- this industry is all smoke and mirrors. These guys put on a security-related dog and pony show, do their song and dance, and collect a big fat fee for a pile of paper. I'm sure the next expert or security firm who comes through will find one or two more token items to report back to the customer. If this is the state of the infosec "industry", then its self explanitory why it is dying.
OMG not the Computer Industry Vs Car Industry again
What is it with preachers comparing a car to a computer? A car gets you from A to B, that's it. You can't reprogram it to mow your garden, watch your house or give the dog his food. A computer is able to do all of these with a little tinkering. The GM Vs Microsoft spat anyone?
You can't buy anti lock brakes separately? True but then again you can't buy a computer without a fused power supply (not the one in the plug, the one in the PSU), what's your point? Both are safety devices that stop you dieing, if your computer gets a virus or a script kiddie gets in its not going to kill you is it?!?!
You'd be far better off comparing the computer to the Human. Problem is that makes all of what he spouts complete nonsense. We have medicines that can battle everything but we still get sick, just as computers have virus scanners but they still get felled.
Additionally if we go with the gurus suggestion of built in security you run the risk of tangling with the monopolies commission, a problem that the Vole knows only too well (OK that was over browsers but its not a huge leap to get to security products that de-activate others, Vista SP1?). The diversity of the PC is one of its greatest strengths, although 99% of the population running Vole OS's doesn't help as it means that any attack is always specific to a piece of software or hardware and if you don't use it you don't have to worry about that problem, however this same strength is also one of its greatest weaknesses as you're never going to be able to plug all of the holes. Just because your a programmer doesn't make you a security expert.
The companies that mess up were the ones that believed security was "smoke and mirrors"
14:38 - it all depends on the nature of the business that needs to be secured. Is it HMRC we're talking about? Perhaps an aerospace company that has the Chinese government trying to hack into it, will disagree that security is smoke and mirrors?
Sure, it's not every single business that faces a threat from hackers or information thieves. But that doesn't make it completely smoke and mirrors either. Many people talk in general terms about the importance of security: they're not specifying what industry sector, what information is actually valuable (IP etc) and why, which country (changes the financial incentives) and so on.
I agree people need to use much more precise language though. The smoke and mirrors comes from vendors/consultants pushing their own prerogative, which to a certain extent is acceptable IMHO, but the problem is they don't always realise how biased their own views are. The result is you can have 10 different experts all saying different things, none of them are lying, perhaps all of them genuinely believe they are suggesting the right thing - and are - but you are still left with the perception of smoke and mirrors.
An endless list of information leakage cockups suggest that the infosecurity business has some value. Maybe the people responsible for these cockups had a similar view, that security was cloak and mirrors? It wouldn't surprise me.
I think the Reg misses The Schneier's point. He's not saying that infosec will die - just that different people will buy it. Instead of it being something that an end user buys, security will be something that a product developer buys and integrates into their product.
@Infosec is mostly voodoo
What's with the "expert" quotes. How'd you like to be called an application hosting "expert". Those guys sound like they did a thorough job. If you want to reduce the frequency/intensity of these visits get your company ISO27001 certified. What? Oh yeah, you'll need one of those "experts"...
@Infosec is mostly voodoo
You are right in saying that most of these things could have been picked up on the first review ... however, it all comes down to the scope of the review. The hardening of the servers and network infrastructure sounds like you had penetration tests done ... they normally don't look for physical security or procedural security holes.
The documentation (procedural) and physical security checks are usually part of an audit, say under the ISO 27001 certification standards.
Auditing and Penetration testing is all about finding deviations from a standard whether that be the latest best practice for securing servers and infrastructure or physical and procedural controls. Because best practice evolves and risks change over time so regular checks like this are precisely there to increase security.
Some of the things that penetration testers find can appear to be voodoo but that does not mean it does not make sense to use their services. Audits and tests are a good thing (I've been on the receiving end of them and also perform them so I understand both sides of the arguments here 8-) and should be seen as a positive indication that you are doing your job right!
Security is not just for InfoSec people ... everyone ... users, developers, support staff ... all have a role to play in lowering risk and achieving the holy grail of "compliance" 8-) Technology has its (big) place in security but people are usually the weakest link! There is a dispute in the industry between the "education of users" is the most important thing stance and "use technology as handcuffs", I think its definitely needs a carrot and stick approach. Educate people and have them accept their responsibilities and when they fail or circumvent controls ... jail them 8-)
RE: Infosec is mostly voodoo
Why didn't the first ask all (most) of questions? A very good question, I have wondered the same thing? Nobody can probably think every detail but security, physical and logical, has been around a long time and there are some very good checklists, maybe not all in one but you can put one together rather easily.
Maybe the problem is the "specialists"? They see one problem, want it fixed but don't see that fixing it will cause other problems? Adding a camera is easy, guaranteeing it stays up all the time, there are enough people watching the new circuits, etc may not be so easy? Adding a new security protocol, encryption, etc may be easy but what it does to performance, capacity, current AA management, etc may again be not so easy?
Same as adding ABS breaks, be ready, the behavior of the car may change a lot! And it takes time to get used to it OR you may have to change other parts to make the car really drivable again.
"What is it with preachers comparing a car to a computer? A car gets you from A to B, that's it. You can't reprogram it to mow your garden, watch your house or give the dog his food. A computer is able to do all of these with a little tinkering. "
"You can't buy anti lock brakes separately? True but then again you can't buy a computer without a fused power supply (not the one in the plug, the one in the PSU), what's your point? Both are safety devices that stop you dieing, if your computer gets a virus or a script kiddie gets in its not going to kill you is it?!?!"
As soon as your computer can mow your lawn the seizure of control of the computer-lawn-mover by a virus etc could very well kill you. On one hand you are suggesting that a computer is versatile and thus cannot be compared to a car. Here you conveniently make an assumption that car is an object which takes people from A to B where these are treated as constants. Also you fail to include the flexibility in purposeful use and ownership of the car - but you conveniently expand on the possibilities of use of a computer with examples that are not commonly available to most computer users. Sorry to state the obvious example in your argument but how many dog owners do you know that are using their computer to feed the dog - or even would be able to get it to work if they so wanted to? The point being that the common PC sold to people is not equiped with such features. So this argument would for most computer owners at the moment be irrelevant. The point is not 'what you can imagine is possible with computer technology for those with skill, imagination and resources'. If it was the case then your argument is flawed because you do only seem to apply these (skills, resources and imaginative usage) on the PC and deny them to be applied for the car.
The point is 'what is commonly available in everyday use of the car' and relating that to 'what still is not commonly available in every day use of the personal computer'.
Some of the recent cock-ups could be partly explained by an unthinking belief in obvious security (such as an ID check when you arrive at work), with the end result that nobody thinks they have to do anything.
And then the CDs are in the mail.
Re anonymous voodoo
I wonder why your own internal security people didn't implement many of the suggestions long before you were externally assessed.
You might want to hire some competent folks.
Also, a security assessment being done by a potential customer is designed to confirm that you can do business together. It is *not* designed to prove how bad your security is.
My past experience with auditors who manage the reports from security assessments is that you fix the big things first, then move on to the smaller things.
Yes, that means you don't mention someone's password policy is not documented if they don't have security cameras at the front desk.
It sounds like the security assessors were doing their jobs. If they handed their employer a 15,000 page report with every nit-picky potential vulnerability ("employee observed leaving desk for almost a minute to talk with neighboring employee DID NOT LOCK SCREEN!"), they'd throw it back and tell them to provide the highlights and summary.
Security is not smoke and mirrors any more than a visit to the doctor's office is. If you broke your arm falling out of a tree, the fact that your 5 pounds overweight probably isn't that important. Likewise, if your datacenter doesn't have any physical access control, who cares if you're four months behind on patching the servers.
Gates because his security is tight!
Smoke, definitely no mirrors
Certainly in the highstreet name financial company I work for only a minority can see outside of the smoke to see what an insecure smokefest we've got.
If there were some mirrors, maybe some of our management would quickly be able to tell their arse from their elbows...
@Infosec is mostly voodoo
You've got half a point, but only half. It certainly sounds like you've run into a bunch of distinctly sub-average suppliers, but there are legitimate reasons for at least some of the changing advice you've been getting down the years, because best practices do evolve over time in the light of people's practical experience.
Meanwhile, you're expecting too much from the consultants/pentesters - well, or perhaps more likely, they're offering way too much and charging way too much in exchange for actually delivering way too little. The only meaningful kind of service they can provide - but it is at least a meaningful service - is an overview.
It's like when you buy a house: you hire a surveyor to look it over. And he'll go inside it, and poke around in the attic if there's access, and look at things, but it's not a top-to-bottom and inside-out architectural survey, and it's not meant to be. It's an external survey, and it's purpose is to make sure all the basics have been covered, that anything that ought to be /obvious/ has been spotted and attended to. But like the surveyor won't actually go digging up the foundations to look for problems, for example, so these kinds of security services don't actually address your entire organisational security needs.
If you're in a line of business where security is important to you, what you really need to do is to have someone on the team, a full-time permanent employee, who can be responsible for it. Someone who can be continuously fixing problems and improving procedures and preparedness. Security is a process, and it cannot be bought in a one-time-only off-the-shelf package.
Will always be an issue as long as individuals can have access to a system anonymously.
If security is an issue, then the access to an item of importance must require identification.
When people are responsible for their actions and know that by doing something, whether physically or on a network, that they will be held accountable, then there will be as much of a threat that someone will rob your database as there is someone may rob your bank. Although probably less depending on the monetary (or entertainment value) of your data.
What Snier is saying is that your database must be as secure as a bank is- and this is not by encorporating some third party to build a security megacenter right next to your bank, whether or not you man that megacenter isn't of issue.
No matter what, you'll always need physical police and security officers as you'll need virtual police and security officers -- but you still need a secure infrastructure in place.
I don't know how the AC above got from discussing his enhanced security posture to saying that infosec is dead or dying. That was some pretty good magic.
Always good for a joke
Please don't make me laugh. Why talk about security? What security?
The predominant operating system in the world allows you to execute stuff on someone else's computer in about two dozen different ways that I know of.
Without establishing a session!!!!
And it's designed deliberately that way.
And people buy it! Then they buy software to stop it.
The coup is empty fellows and I see the pigeon on the horizon.
That's because security is not a static environment, requirements and attack vectors *change*.
Whilst I agree some of the security "issues" should have been picked up in one pass not all ever will. Additionally if you're having a third party review, most companies will review you to THEIR policies/requirements/procedures; these WILL differ between companies, hence different findings for each review.
Also there are (and I hope always will be) differences in security requirements and opinions, there is no security god who is going to enter your premises, tell you whats wrong, you fix it and then you're secure. It doesn't work like that, to butcher a good cliche, "security is a journey, not a destination"
car vs computer
What exactly are you building your arguments on when critisizing the use of the car metaphor?
1. My PC cannot mow the lawn in my garden - neither can my car. Yes I can rebuild my PC with gadgets so it could control a lawn mover - but I can also put a lawn mower behind my car if we wish - takes some skill and effort - but to rebuild a PC does take skill too.
2. My pc can be used for many different things but not for all things - so can my car, I can drive different passengers in my car, A to B is not a collection of constants they are variables. Just like I can use MS Word to write different articles - I can use my car to drive to different destinations.
3. You say you can do things with your computer with a little tinkering. Well you can do 'new' things with your car with a little tinkering too. But these issues require competence and skill. So you can make your computer to give your dog food - but most people could not. And they also could not make the computer to go with their dog for a walk. Neither could they make their car to do that - so what?
4. I see no problem in that developers of software / hardware also take responsibility for security of their products. Where is the problem with the car metaphor? So all programmers are not security experts - this does not mean that software development companies could not take responsibility to hire in security expertise when developing their software. Just like all engineers developing cars are not experts in car related security (brakes, lights, locks, roll cage, seat belts etc.). Yes in its infancy the car industry could (and did) focus in making cars that took the driver from A to B without any security features. Even in racing it was common to focus for many years on engine performance and brake effectiveness was not relevant (as the famous reference to Enzo Ferrari where he supposedly said that they designed their cars to go fast not to go slow - as an excuse for not paying attention to developing good brakes).
Sorry but the car metaphor seems to be perfectly usable for many valid IT discussions. A metaphor is not the same as an allegory.
"My past experience with auditors who manage the reports from security assessments is that you fix the big things first, then move on to the smaller things."
ROFL. My experience with auditors and security assessments is that we end up teaching them their business, and then being billed for that learning. One year you'll be given a hard time by the auditor about a method, the next year they'll give us a hard time for not using that method fully enough. Obviously they've been to a conference in the intervening year and had a long deep drink of the KoolAid.
Your typical auditor will read a rule from a audit manual -- such as "all system accounts must be owned by a person and must not be shared". You'll then spend weeks explaining why the "root" account must exist (even if it need not be able to be logged into) and what all those system accounts the various daemons use are. We had to write a report listing every daemon account and the processes which use them.
This year we're teaching our auditor about ssh public keys, about using cfengine in preference to backups of non-data, and about application-specific firewalls. We'll be billed more than $10K for giving this education.
Paris, because auditors get around but still don't learn.
Come on, can you think that a security 'expert' that goes into an organisation, and just comes up with a 'nothing to look at here' is going to be trusted?
They HAVE to find something to justify their own existance, even it it is that you have to video everybody everywhere. The better you (and the previous expert consultants) are at the job in hand, the more trivial the next vulnerabillities become. And because they are just trying to find one or two things, they will stop once they have these one or two. Of course, this assumes that all the basics are covered.
It's when they start complaining that the screens can be read over the video links that they asked for, and whether the CCTV wires are Tempest complient or could be intercepted between the camera and the monitoring station that you really have to worry.
My view is, let a couple of minor but visible, easily fixable, holes be found,. Take the resultant report, fix them in no time flat, and everyone will be happy. You will get a 'Found something, had it fixed, everything OK now' report, and they will go away happy knowing that they have done the job. You will then not have to fix the trivial new vulnerabillities that they have not had to find.
I think the BOFH would aggree to this plan. Either that, or there will be some more mysterious accidents with lift doors opening at the wrong time!
Very well in theory
thats all very well in theory but there aren't billions of groups out there dedicated to the exploiting and overcoming of car security... you don't have millions upon billions of ways of exploiting cars like you do with computers. with code on the computer side of things there are millions of people out there that are constantly attacking and poking holes and they do get in...
Your metaphor is inadequate in comparing computers to cars... take for example computers against banks... YES you do upgrade a banks security all the time. The technology for access, monitoring systems procedures. The fact of the matter is that not enough people are constantly overcomming car security in a way that challenges the developers to upgrade their security... beyond installing bulletproof (which the average person cannot afford) a simple rock smash, grab and leg overcomes any security. with challenged security measures requires packages to be upgraded because we can protect our computers. i believe that having packages that we can control and substitute out for others is vital and it lets us choose. i personally would steer away from anything that costs money and go with open source i do agree that any commercially bought firewall/antivirus is crap
Re: Glen - My auditors are better than yours
At my last job, the IT Auditors were very competent. Audit, had regular book and paperwork auditors, but they also had a separate group of auditors with backgrounds in IT. Since it was a financial institution, the director put a heavy emphasis on IT compliance.
I hear it isn't going so well over there now. They've had a new director for a couple of years and he doesn't see why IT compliance and security is that important. He's focusing them on traditional auditing.
Where they used to be hiring IT specific auditors, now they are laying them off (sorry, I mean "rightsizing") and the talent that doesn't get shown the door is leaving on its own accord because the job is no longer fulfilling.
My new job is with a much smaller company about 1/6 the number of employees. From what I've heard about auditors here (haven't worked with them much), it may be more like what you say.
I guess I was spoiled at my last job by auditors who knew what I was talking about. :(
"thats all very well in theory but there aren't billions of groups out there dedicated to the exploiting and overcoming of car security... you don't have millions upon billions of ways of exploiting cars like you do with computers. with code on the computer side of things there are millions of people out there that are constantly attacking and poking holes and they do get in..."
Billions? which planet are you living on? Never mind the number let just assume that this is meant to suggest that there are a significant large number of people trying to poke holes to get in to IT system. Also it seems fair to assume that the suggestion is that there are fewer ways of exploiting cars etc...
Actually there are relatively few ways that can be used to poke holes into system. The problem is that there are many variations of those few ways. As new technologies develop more variations of 'old ways' show up. Very seldom does a security breach represent something completely new.
Historically the two most common causes for breaches are based either on social engineering or by drawing upon weaknesses in the technology. Some social engineering can be dealt with by 'education of the end-user' - but not all. The reason being that some approaches combine social engineering with perfectly valid processes of interaction where the user has no what so ever influence and must by definition act on trust. The IT community does not take its responsibility (E-Bay or Credit Card fraud anyone?). Most security issues and breaches do not seem to require much brut force or any superior intellect to succeed. Not many 'hackers' would exactly qualify to be the equals of the mythical 'rocket scientist'. The reasons for why many 'hackers' have become famous and described as 'geniouses' (without deserving that nomination) is not that all of them have been 'smart gurus' but that the systems they have broken into have been so ridiculously insecure. Often the system owner has been completely unaware of even basic insecurities of their systems. The creators of systems do not exactly bragg about their lack of attention to security.
There are many security issues that could have been avoided relatively easy if basic consideration had been taken into account at the design stage. Even worse - many security weaknesses are created by design. I think that end users have the right to expect that professional IT / IS designers should be more competent (in IT / IS security) when designing solutions than themselves.
I cannot justify approaches where IT specialists blame users for security problems and put the causes blatantly on users ignorance. To suggest that people should take responsibility for their IT security is only valid as an ideal proposition and only partly relevant because of the many very basic underlying security flaws in commonly applied architectural solutions. It would be as to suggest that the user should know about weaknesses that the designers of the system refuse to admit that they have introduced as part of the design - not a great idea I think.
banks and security
"YES you do upgrade a banks security all the time. The technology for access, monitoring systems procedures. The fact of the matter is that not enough people are constantly overcomming car security in a way that challenges the developers to upgrade their security"
Banks and IT security? Bad example - unfortunately for customers and also share holders I would say - banks do have a bad history when it comes to IT project and system security. And even more sadly - this does not look as if it is changing. Traditionally the systems developed have been developed with minimum security in mind. I would go so far that some systems I have seen have been utterly developed WITHOUT security in mind. Ignorance seems to be bliss in the banking sector. If you believe marketing talk - yes they are 'updating their security all the time' (where on earth did you get that reassuringly overconfident spin?). Are these the same banks being referred to who still today cannot create an overview of a customers complete relationship and transactions with themselves? (hint - lookup 'Basel' and banking).
Sorry banks are infamous in the IT security world for not doing their homework and for actively refusing to invest in IT security (cost saving). They do not generally speaking invest in IT security unless they are forced to (and then as little as they can get away with accompanied by spin) - they do however invest in strategies designed historically to push any inconvenient costs and blame on all other actors and stakeholders.
Look at how credit card issues have been handled:
1. To redistribute responsibility by talking about security issues by focusing on E-crimes with government and police.
2. To redistribute responsibility by changing the fineprint in contracts with consumers and also to change the name of transactions (see latest UK development in the way the banking sector is trying to re-define Credit Card payments to 'cash advances' (?) rather then to sort out their security issues).
3. If there is a risk that police investigations into security issues may point to embarassing security holes in their own processes and systems see to it that those investigations are moved in house and not registered as issues outside (Credit Card fraud investigations anyone?).
Yes banks do a lot (of money) - but IT security is something that they do as a result of being dragged kicking and screaming into the civilised society. Unfortunately for us in the UK - there is very little 'dragging' going on at the moment.
So what stand was Schneier on?
Oh, it was the BT stand right? The one where they are trying to sell HUGE amounts of managed services to corporates? The company that purchased Counter Pane, the company which Brucey used to sell HUGE amounts of managed services to corporates... and we are SUPRISED that he says that people should buy these services from ISPs and Telcos?
Yeah... thought not.
PARIS because in this case, she probably has much more of a clue...
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market