Upload
digitallibrary
View
1.121
Download
3
Embed Size (px)
DESCRIPTION
Do you ever feel that your trusted security providers are failing to tell you the whole truth? Would you like to hear what they aren't telling you? It is time for intellectual honesty. We entrust the security industry to protect us from unacceptable risk. However, competing vendor priorities often prevent them from sharing and discussing all security truths. Some "Lies of Omission" merely delay countermeasures. More serious "Dirty Secrets" have created and perpetuated unacceptable blind spots and exposure. First, we expose the 7 Dirty Secrets of the Security Industry. Second, we highlight key security trends deserving your attention. Lastly, we will outline practical ways to command intellectual honesty from your trusted security providers.
Citation preview
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Unsafe at Any Speed:7 Dirty Secrets of the Security Industry
Joshua Corman
Principal Security Strategist
Interop Vegas | April 30, 2008
2
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Overview
�Ralph Nader’s Unsafe at Any Speed
�“7” Dirty Secrets of the Security Industry
�Key security trends deserving your attention
�Practical ways to command intellectual honesty from your trusted security providers
�Discussion and Q&A
3
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Acknowledgements
Other “Dirty Secrets” Sources
� Bruce Potter at DefCon 2007
- http://video.google.com/videoplay?docid=-4408250627226363306
� Rich Mogull’s “11 Truths We Hate to Admit”
- http://www.darkreading.com/document.asp?doc_id=144600
� Chris Hoff [and James McGovern] “Top 10 [20] Mistakes CIOs make”
- http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html
…and others who wish to remain nameless
4
IBM Internet Security Systems
© Copyright IBM Corporation 2008
The Obvious…
“But Josh…
…aren’t you part of the Security Industry?”
“Security is both a State and a Feeling”
-Bruce Schneier
“Security is both and Industry and a Sacred Trust”
-Joshua Corman
“security” vs “Security”
5
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Unsafe at Any Speed - by Ralph Nader
�Published in 1965
�Challenged Automobile Safety
Chapter 1: The sporty Corvair
Chapter 2: Disaster deferred
Chapter 3: The second collision
Chapter 4: The power to pollute
Chapter 5: The engineers
Chapter 6: The stylists
Chapter 7: The traffic safety establishment
Chapter 8: The coming struggle for safety
� http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed
IBM Internet Security Systems
© Copyright IBM Corporation 2008
7* Dirty Secrets of the Security Industry
#0
You don’t have to swim faster than the shark…
…only faster than your buddy…
Anyone here a Diver?
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#0 – Vendors do not need to be Ahead of the Threat
– they only need to be Ahead of the Buyer
8
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#0 Ahead of the Threat – or Ahead of the Buyer
�Q: What is the GOAL of the Security Market?
�A: The goal of the Security Market is not to secure
- The goal of the Security Market is to make money
“Myth: Security companies are smarter than hackers
Reality: Security companies are smarter than customers”
Robert Graham - CTO - Errata Security
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#1 – AV Certification Omissions
10
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#1 – AV Certifications do not Test/Require Trojans
�Define “Definition”…
- This has been a game of semantics
�Anti-Virus Certifications only test for the detection of “Replicating MalCode”
- This means Viruses and Worms
- This does not include non-replicating MalCode
- This is Primarily the WildList / WildCore
- Over the years – this has become more egregious
- Trojans were once the minority
11
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#1 – AV Certifications do not Test/Require Trojans
�Is this a big deal…?
�AV has a legacy of “Omission”…
They nearly DOUBLED the prior 21 years to >200,000
Trojans are now 75-80% of
the new MalCode
Source: sophos-security-report-jun06-srus.pdf
Jan - Feb 2008
1.1 MILLION unique samples
12
IBM Internet Security Systems
© Copyright IBM Corporation 2008
RansomwareRootkitDesigner
Malcode
Spear
PhishingBotSpywareSPAMTrojanWormVirus
Signature
AV
Behavioral
Virus
Prevention
System
Content
Filtering
Anti-
Spyware
13
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#1 – AV Certifications do not Test/Require Trojans
� NOTE: This may change
� AMTSO is attempting to address AV Certifications
- ANTI-MALWARE TESTING STANDARDS ORGANIZATION
- http://www.amtso.org/
- Charter Meeting was in January of 2008
� Success will require scrutiny and accountability from YOU
- Their customers
- Vendors are financially motivated
� Will we Evolve? Or will History Repeat itself?
� “Quis custodiet ipsos custodes”- Juvenal, Satires, VI, 347
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#2 – There is no Perimeter…
[aka “Santa Claus, the Easter Bunny, the Perimeter, and other fairy tales”]
15
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#2 – There is no Perimeter…
�If you still believe in “The Perimeter”, you may as well believe in Santa Claus…
16
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#2 – There is no Perimeter…
�Redefining the Perimeter
- The Endpoint is the Perimeter
- The User is the Perimeter
- The Business Process is the Perimeter
- The Data is the Perimeter
�The Jericho Forum
- http://www.opengroup.org/jericho/
“8. Network security is the result of a mistake, not an industry worth perpetuating.If it weren't for poor host security, insecure protocols, and no concept of data security besides the occasional encryption, we wouldn't need network security. It should be the goal of every security professional to make network security irrelevant. It will take generations, if it's even possible. But we should never forget that network security only exists because we've screwed up everything else. ”
Rich Mogull “11 Truths We Hate to Admit” http://www.darkreading.com/document.asp?doc_id=144600
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#3 – Risk Management Threatens Vendors
18
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#3 – Risk Management Threatens Vendors
�Vendors want you
focused on the trees, so
you will continue to miss
the forest.
�Your Risk Priorities may
not align with their
product offerings
�Untapped Resources:
- Education and Awareness
- Hardening Configurations
�Who has had a failed
security project?
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#4 – Psst… There is more to Risk than
Weak Software
20
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#4 – Psst… There is more to Risk than Weak Software
�The lion’s share of Security Market is focused on Software Vulnerabilities
- Research the Vulnerabilities
- Scan for the Vulnerabilities
- Shield the Vulnerabilities
- Patch the Vulnerabilities
- Report against the Vulnerabilities
�What if the software was PERFECT?
- Would we be secure?
21
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#4 – Psst… There is more to Risk than Weak Software
The Hackers compromise 3 ways:
1. Weak Software
• Buffer Overflows
• OS/Application Vulnerabilities
2. Weak Configuration
• Default Configurations
• Weak Passwds
• Failure to Harden
3. Weak People
• Malicious CODE
• Social Engineering
• Insider Threat
22
IBM Internet Security Systems
© Copyright IBM Corporation 2008
The shift to Malicious CODE…
23
IBM Internet Security Systems
© Copyright IBM Corporation 2008
MalCode does not NEED vulnerabilities
An explosion of innovation in Malicious Code…
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#5 – Compliance Threatens Security…
25
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#5 – Compliance Threatens Security…
�NOTE: Compliance in and of itself is not a bad thing
- Compliance in and of itself is not a good thing
�Resource/Budget Conflict
- Split Focus
�Did Raising the Bar, lower it?
- Meeting Minimum Standards
- “Security by Compliance”
-John Pironti
�That which is easy to measure…
26
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#5 – Compliance Threatens Security…
�Coach’s Secret Playbook?
�Your Security Blueprint?
Coach’s
TOP SECRETFootball Plays
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#6 – Vendor Blind Spots Allowed for Storm
28
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#6 – Vendor Blind Spots Allowed for Storm
� Storm thrives in the “leper colony”
� Storm eats AV for breakfast
� Storm MalCode does not need Vulnerabilities
� Storm leverages outstanding social engineering
� Storm is Self-Defending and Resilient
� It has been over a year
- The Industry has still not evolved at the required rate
- nor in the required ways
� More on Storm Strategies:
- http://www.news.com/2324-12640_3-6230874.html?tag=podIndex
- http://www.forbes.com/home/technology/2007/10/29/zombies-cybercrime-viruses-tech-security-cx_ag_1030zombies.html
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
#7 – Security has grown well past
“Do it yourself”
30
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#7 – Security has grown well past “Do it yourself”
“Technology without Strategy is Chaos”
�Who here has children?
- Car Seat Installation
31
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#7 – Security has grown well past “Do it yourself”
� Let’s look at CoBIT
� Historically…
� Horizontal Issues
- PCI
- Data Security
� Business Process
1. Cost
2. Complexity
3. Change Rates
32
IBM Internet Security Systems
© Copyright IBM Corporation 2008
COST COMPLEXITY
SIMPLIFICATION
Responsible? Or?
RESPONSIBLE SIMPLIFICATION
Thoughts
33
IBM Internet Security Systems
© Copyright IBM Corporation 2008
EVOLVING THREAT COMPLIANCE
Risk
AGILITY
Countermeasures
Thoughts
Rates of Change
34
IBM Internet Security Systems
© Copyright IBM Corporation 2008
#7 – Security has grown well past “Do it yourself”
Example: Network DLP
�Solves the Majority
�All Network Leaks
� “Stopping Stupid”
People
Process
Technology
35
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Hot Topics and Trends
� Massive Security Market Convergence
- Impact of Choice
- Impact of Complexity
� Data Security vs Technology Security
� Server Virtualization
� Web 2.0 and SOA
� Security vs Information Risk Management
� Acceleration of Threat Evolution (3 Ps)
- Prestige
- Profit
- Politics
36
IBM Internet Security Systems
© Copyright IBM Corporation 2008
“7” Dirty Secrets of the Security Industry
0) Vendors do not need to be Ahead of the Threat – they only need to be
Ahead of the Buyer
1) AV Certification Omissions
� No accountability for Trojans
� Not keeping pace with relevant Evolving Threats
2) There is no Perimeter… [or Santa Claus]
3) Risk Management Threatens Vendors
4) Psst… There is more to Risk than Weak Software
5) Compliance Threatens Security…
6) Vendor Blind Spots Allowed for Storm
7) Security has grown well past “Do it yourself”
37
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Discussion
IBM Internet Security Systems
© Copyright IBM Corporation 2008
Thank youJoshua CormanPrincipal Security Strategist