Perimeter
7/7/2011
02:30 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Simple Isn't Simple

It's time to admit security is hard, and to stop blaming the victims for being human

We hear it time and again in various articles and reports: "The breach could have been prevented by following common practices."

Sounds simple, doesn't it? All we have to do is focus on the basics, and the bad guys will move on to a softer target. All we need to do is train our developers to avoid SQL injection and cross-site scripting, and the world will be a better place. We just need to upgrade to the latest version of XYZ, keep our systems patched, and our children will sleep better at night.

I mean really, it's only the idiots and fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email.

It isn't like we lack for checklists, standards, or frameworks. From ISO 27001 to PCI to BSIMM, we have no shortage of guides to security nirvana. Just follow these, and you should be able to stop all but the most determined attackers. Simple, isn't it?

Except simple doesn't scale, for any given value of the scale. Are you a small shop with only 10 employees and systems to manage? Woe on you if you stupidly spend more on the GUI for your product than the security within it. A large enterprise? How DARE you miss a single targeted phishing email and let a user open the attachment.

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you're small, you can control more, but you have fewer resources at your disposal. If you're large, you still struggle for resources, but now at an enormous scale. It's a no-win situation because no one can be perfect all the time. Or even some of the time.

Take Web applications. In small companies, you can't really afford third-party secure development tools, and at best might be able to pay for a scan or two. Yes, there are freeware tools, but nothing is free when you have to pay someone to learn it. Train your developers? Yes, you should invest there, but developers are humans and prone to error, and even minimal training hurts the development cycles you need to sell the product and feed your families.

Are you larger? You might be able to afford every tool in the book, but now you have more applications and more developers to manage. Even something as simple as weeding out SQL injection is nearly impossible for a multinational with hoards of developers, contractors, and outsources. Nothing is ever simple at scale.

I'm not claiming security is impossible. I'm not saying we should give up. And, believe me, I'm not out defending mediocrity. But I am saying we need to recognize that it's hard at all levels. That even the easy parts are nearly universally difficult in practice.

This isn't one of those articles with answers. Sure, I can talk all day about how users need to operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable.

But we can recognize that we rely on complex solutions to difficult problems, and blaming every victim for getting hacked isn't productive. Especially since you're next.

Security is hard. It's even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web