Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry

IBM Internet Security Systems

© Copyright IBM Corporation 2008

Unsafe at Any Speed:7 Dirty Secrets of the Security Industry

Joshua Corman

Principal Security Strategist

Interop Vegas | April 30, 2008

2



Overview

�Ralph Nader’s Unsafe at Any Speed

�“7” Dirty Secrets of the Security Industry

�Key security trends deserving your attention

�Practical ways to command intellectual honesty from your trusted security providers

�Discussion and Q&A

3



Acknowledgements

Other “Dirty Secrets” Sources

� Bruce Potter at DefCon 2007

- http://video.google.com/videoplay?docid=-4408250627226363306

� Rich Mogull’s “11 Truths We Hate to Admit”

- http://www.darkreading.com/document.asp?doc_id=144600

� Chris Hoff [and James McGovern] “Top 10 [20] Mistakes CIOs make”

- http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html

…and others who wish to remain nameless

4



The Obvious…

“But Josh…

…aren’t you part of the Security Industry?”

“Security is both a State and a Feeling”

-Bruce Schneier

“Security is both and Industry and a Sacred Trust”

-Joshua Corman

“security” vs “Security”

5



Unsafe at Any Speed - by Ralph Nader

�Published in 1965

�Challenged Automobile Safety

Chapter 1: The sporty Corvair

Chapter 2: Disaster deferred

Chapter 3: The second collision

Chapter 4: The power to pollute

Chapter 5: The engineers

Chapter 6: The stylists

Chapter 7: The traffic safety establishment

Chapter 8: The coming struggle for safety

� http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed



7* Dirty Secrets of the Security Industry

#0

You don’t have to swim faster than the shark…

…only faster than your buddy…

Anyone here a Diver?



“7” Dirty Secrets of the Security Industry

#0 – Vendors do not need to be Ahead of the Threat

– they only need to be Ahead of the Buyer

8



#0 Ahead of the Threat – or Ahead of the Buyer

�Q: What is the GOAL of the Security Market?

�A: The goal of the Security Market is not to secure

- The goal of the Security Market is to make money

“Myth: Security companies are smarter than hackers

Reality: Security companies are smarter than customers”

Robert Graham - CTO - Errata Security




#1 – AV Certification Omissions

10



#1 – AV Certifications do not Test/Require Trojans

�Define “Definition”…

- This has been a game of semantics

�Anti-Virus Certifications only test for the detection of “Replicating MalCode”

- This means Viruses and Worms

- This does not include non-replicating MalCode

- This is Primarily the WildList / WildCore

- Over the years – this has become more egregious

- Trojans were once the minority

11




�Is this a big deal…?

�AV has a legacy of “Omission”…

They nearly DOUBLED the prior 21 years to >200,000

Trojans are now 75-80% of

the new MalCode

Source: sophos-security-report-jun06-srus.pdf

Jan - Feb 2008

1.1 MILLION unique samples

12



RansomwareRootkitDesigner

Malcode

Spear

PhishingBotSpywareSPAMTrojanWormVirus

Signature

AV

Behavioral

Virus

Prevention

System

Content

Filtering

Anti-

Spyware

13




� NOTE: This may change

� AMTSO is attempting to address AV Certifications

- ANTI-MALWARE TESTING STANDARDS ORGANIZATION

- http://www.amtso.org/

- Charter Meeting was in January of 2008

� Success will require scrutiny and accountability from YOU

- Their customers

- Vendors are financially motivated

� Will we Evolve? Or will History Repeat itself?

� “Quis custodiet ipsos custodes”- Juvenal, Satires, VI, 347




#2 – There is no Perimeter…

[aka “Santa Claus, the Easter Bunny, the Perimeter, and other fairy tales”]

15




�If you still believe in “The Perimeter”, you may as well believe in Santa Claus…

16




�Redefining the Perimeter

- The Endpoint is the Perimeter

- The User is the Perimeter

- The Business Process is the Perimeter

- The Data is the Perimeter

�The Jericho Forum

- http://www.opengroup.org/jericho/

“8. Network security is the result of a mistake, not an industry worth perpetuating.If it weren't for poor host security, insecure protocols, and no concept of data security besides the occasional encryption, we wouldn't need network security. It should be the goal of every security professional to make network security irrelevant. It will take generations, if it's even possible. But we should never forget that network security only exists because we've screwed up everything else. ”

Rich Mogull “11 Truths We Hate to Admit” http://www.darkreading.com/document.asp?doc_id=144600




#3 – Risk Management Threatens Vendors

18



#3 – Risk Management Threatens Vendors

�Vendors want you

focused on the trees, so

you will continue to miss

the forest.

�Your Risk Priorities may

not align with their

product offerings

�Untapped Resources:

- Education and Awareness

- Hardening Configurations

�Who has had a failed

security project?




#4 – Psst… There is more to Risk than

Weak Software

20



#4 – Psst… There is more to Risk than Weak Software

�The lion’s share of Security Market is focused on Software Vulnerabilities

- Research the Vulnerabilities

- Scan for the Vulnerabilities

- Shield the Vulnerabilities

- Patch the Vulnerabilities

- Report against the Vulnerabilities

�What if the software was PERFECT?

- Would we be secure?

21



#4 – Psst… There is more to Risk than Weak Software

The Hackers compromise 3 ways:

1. Weak Software

• Buffer Overflows

• OS/Application Vulnerabilities

2. Weak Configuration

• Default Configurations

• Weak Passwds

• Failure to Harden

3. Weak People

• Malicious CODE

• Social Engineering

• Insider Threat

22



The shift to Malicious CODE…

23



MalCode does not NEED vulnerabilities

An explosion of innovation in Malicious Code…




#5 – Compliance Threatens Security…

25




�NOTE: Compliance in and of itself is not a bad thing

- Compliance in and of itself is not a good thing

�Resource/Budget Conflict

- Split Focus

�Did Raising the Bar, lower it?

- Meeting Minimum Standards

- “Security by Compliance”

-John Pironti

�That which is easy to measure…

26




�Coach’s Secret Playbook?

�Your Security Blueprint?

Coach’s

TOP SECRETFootball Plays




#6 – Vendor Blind Spots Allowed for Storm

28



#6 – Vendor Blind Spots Allowed for Storm

� Storm thrives in the “leper colony”

� Storm eats AV for breakfast

� Storm MalCode does not need Vulnerabilities

� Storm leverages outstanding social engineering

� Storm is Self-Defending and Resilient

� It has been over a year

- The Industry has still not evolved at the required rate

- nor in the required ways

� More on Storm Strategies:

- http://www.news.com/2324-12640_3-6230874.html?tag=podIndex

- http://www.forbes.com/home/technology/2007/10/29/zombies-cybercrime-viruses-tech-security-cx_ag_1030zombies.html




#7 – Security has grown well past

“Do it yourself”

30



#7 – Security has grown well past “Do it yourself”

“Technology without Strategy is Chaos”

�Who here has children?

- Car Seat Installation

31




� Let’s look at CoBIT

� Historically…

� Horizontal Issues

- PCI

- Data Security

� Business Process

1. Cost

2. Complexity

3. Change Rates

32



COST COMPLEXITY

SIMPLIFICATION

Responsible? Or?

RESPONSIBLE SIMPLIFICATION

Thoughts

33



EVOLVING THREAT COMPLIANCE

Risk

AGILITY

Countermeasures

Thoughts

Rates of Change

34




Example: Network DLP

�Solves the Majority

�All Network Leaks

� “Stopping Stupid”

People

Process

Technology

35



Hot Topics and Trends

� Massive Security Market Convergence

- Impact of Choice

- Impact of Complexity

� Data Security vs Technology Security

� Server Virtualization

� Web 2.0 and SOA

� Security vs Information Risk Management

� Acceleration of Threat Evolution (3 Ps)

- Prestige

- Profit

- Politics

36




0) Vendors do not need to be Ahead of the Threat – they only need to be

Ahead of the Buyer

1) AV Certification Omissions

� No accountability for Trojans

� Not keeping pace with relevant Evolving Threats

2) There is no Perimeter… [or Santa Claus]

3) Risk Management Threatens Vendors

4) Psst… There is more to Risk than Weak Software

5) Compliance Threatens Security…

6) Vendor Blind Spots Allowed for Storm

7) Security has grown well past “Do it yourself”

37



Discussion



Thank youJoshua CormanPrincipal Security Strategist

[email protected]