Perimeter
7/7/2011
02:30 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Simple Isn't Simple

It's time to admit security is hard, and to stop blaming the victims for being human

We hear it time and again in various articles and reports: "The breach could have been prevented by following common practices."

Sounds simple, doesn't it? All we have to do is focus on the basics, and the bad guys will move on to a softer target. All we need to do is train our developers to avoid SQL injection and cross-site scripting, and the world will be a better place. We just need to upgrade to the latest version of XYZ, keep our systems patched, and our children will sleep better at night.

I mean really, it's only the idiots and fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email.

It isn't like we lack for checklists, standards, or frameworks. From ISO 27001 to PCI to BSIMM, we have no shortage of guides to security nirvana. Just follow these, and you should be able to stop all but the most determined attackers. Simple, isn't it?

Except simple doesn't scale, for any given value of the scale. Are you a small shop with only 10 employees and systems to manage? Woe on you if you stupidly spend more on the GUI for your product than the security within it. A large enterprise? How DARE you miss a single targeted phishing email and let a user open the attachment.

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you're small, you can control more, but you have fewer resources at your disposal. If you're large, you still struggle for resources, but now at an enormous scale. It's a no-win situation because no one can be perfect all the time. Or even some of the time.

Take Web applications. In small companies, you can't really afford third-party secure development tools, and at best might be able to pay for a scan or two. Yes, there are freeware tools, but nothing is free when you have to pay someone to learn it. Train your developers? Yes, you should invest there, but developers are humans and prone to error, and even minimal training hurts the development cycles you need to sell the product and feed your families.

Are you larger? You might be able to afford every tool in the book, but now you have more applications and more developers to manage. Even something as simple as weeding out SQL injection is nearly impossible for a multinational with hoards of developers, contractors, and outsources. Nothing is ever simple at scale.

I'm not claiming security is impossible. I'm not saying we should give up. And, believe me, I'm not out defending mediocrity. But I am saying we need to recognize that it's hard at all levels. That even the easy parts are nearly universally difficult in practice.

This isn't one of those articles with answers. Sure, I can talk all day about how users need to operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable.

But we can recognize that we rely on complex solutions to difficult problems, and blaming every victim for getting hacked isn't productive. Especially since you're next.

Security is hard. It's even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.