Perimeter
7/7/2011
02:30 PM
Rich Mogull
Rich Mogull
Commentary
50%
50%

Simple Isn't Simple

It's time to admit security is hard, and to stop blaming the victims for being human

We hear it time and again in various articles and reports: "The breach could have been prevented by following common practices."

Sounds simple, doesn't it? All we have to do is focus on the basics, and the bad guys will move on to a softer target. All we need to do is train our developers to avoid SQL injection and cross-site scripting, and the world will be a better place. We just need to upgrade to the latest version of XYZ, keep our systems patched, and our children will sleep better at night.

I mean really, it's only the idiots and fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email.

It isn't like we lack for checklists, standards, or frameworks. From ISO 27001 to PCI to BSIMM, we have no shortage of guides to security nirvana. Just follow these, and you should be able to stop all but the most determined attackers. Simple, isn't it?

Except simple doesn't scale, for any given value of the scale. Are you a small shop with only 10 employees and systems to manage? Woe on you if you stupidly spend more on the GUI for your product than the security within it. A large enterprise? How DARE you miss a single targeted phishing email and let a user open the attachment.

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you're small, you can control more, but you have fewer resources at your disposal. If you're large, you still struggle for resources, but now at an enormous scale. It's a no-win situation because no one can be perfect all the time. Or even some of the time.

Take Web applications. In small companies, you can't really afford third-party secure development tools, and at best might be able to pay for a scan or two. Yes, there are freeware tools, but nothing is free when you have to pay someone to learn it. Train your developers? Yes, you should invest there, but developers are humans and prone to error, and even minimal training hurts the development cycles you need to sell the product and feed your families.

Are you larger? You might be able to afford every tool in the book, but now you have more applications and more developers to manage. Even something as simple as weeding out SQL injection is nearly impossible for a multinational with hoards of developers, contractors, and outsources. Nothing is ever simple at scale.

I'm not claiming security is impossible. I'm not saying we should give up. And, believe me, I'm not out defending mediocrity. But I am saying we need to recognize that it's hard at all levels. That even the easy parts are nearly universally difficult in practice.

This isn't one of those articles with answers. Sure, I can talk all day about how users need to operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable.

But we can recognize that we rely on complex solutions to difficult problems, and blaming every victim for getting hacked isn't productive. Especially since you're next.

Security is hard. It's even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0121
Published: 2015-05-30
IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through 4.0.7 and Rational DOORS Next Generation (RDNG) 4.0 through 4.0.7 and 5.0 through 5.0.2, when LTPA single sign on is used with WebSphere Application Server, do not terminate a Requirements Management (RM) session upon LTPA token ...

CVE-2015-0191
Published: 2015-05-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-0191. Reason: This candidate is a duplicate of CVE-2014-0191. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2014-0191 instead of this candidate. All references and descriptions in this candid...

CVE-2015-0193
Published: 2015-05-30
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...

CVE-2015-0733
Published: 2015-05-30
CRLF injection vulnerability in the HTTP Header Handler in Digital Broadband Delivery System in Cisco Headend System Release allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks, via a crafted request, aka Bug ID ...

CVE-2015-0743
Published: 2015-05-30
Cisco Headend System Release allows remote attackers to cause a denial of service (DHCP and TFTP outage) via a flood of crafted UDP traffic, aka Bug ID CSCus04097.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?