Perimeter
7/7/2011
02:30 PM
50%
50%

Simple Isn't Simple

It's time to admit security is hard, and to stop blaming the victims for being human

We hear it time and again in various articles and reports: "The breach could have been prevented by following common practices."

Sounds simple, doesn't it? All we have to do is focus on the basics, and the bad guys will move on to a softer target. All we need to do is train our developers to avoid SQL injection and cross-site scripting, and the world will be a better place. We just need to upgrade to the latest version of XYZ, keep our systems patched, and our children will sleep better at night.

I mean really, it's only the idiots and fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email.

It isn't like we lack for checklists, standards, or frameworks. From ISO 27001 to PCI to BSIMM, we have no shortage of guides to security nirvana. Just follow these, and you should be able to stop all but the most determined attackers. Simple, isn't it?

Except simple doesn't scale, for any given value of the scale. Are you a small shop with only 10 employees and systems to manage? Woe on you if you stupidly spend more on the GUI for your product than the security within it. A large enterprise? How DARE you miss a single targeted phishing email and let a user open the attachment.

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you're small, you can control more, but you have fewer resources at your disposal. If you're large, you still struggle for resources, but now at an enormous scale. It's a no-win situation because no one can be perfect all the time. Or even some of the time.

Take Web applications. In small companies, you can't really afford third-party secure development tools, and at best might be able to pay for a scan or two. Yes, there are freeware tools, but nothing is free when you have to pay someone to learn it. Train your developers? Yes, you should invest there, but developers are humans and prone to error, and even minimal training hurts the development cycles you need to sell the product and feed your families.

Are you larger? You might be able to afford every tool in the book, but now you have more applications and more developers to manage. Even something as simple as weeding out SQL injection is nearly impossible for a multinational with hoards of developers, contractors, and outsources. Nothing is ever simple at scale.

I'm not claiming security is impossible. I'm not saying we should give up. And, believe me, I'm not out defending mediocrity. But I am saying we need to recognize that it's hard at all levels. That even the easy parts are nearly universally difficult in practice.

This isn't one of those articles with answers. Sure, I can talk all day about how users need to operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable.

But we can recognize that we rely on complex solutions to difficult problems, and blaming every victim for getting hacked isn't productive. Especially since you're next.

Security is hard. It's even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Rich has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.