2006-11-21

InfoSec Laws, Pt. 1, and 2007 predictions

Newton's Second Law applied to IT: An administrator at rest tends to stay at rest, unless acted upon by a force.
How many times have we had to pester system or network administrators to do something involving security? How many times do we have to keep asking them to do the same thing? Unfortunately, many of those outside of the security community tend to put all other priorities and notions above even the most immediate security needs. I've even seen this in the midst of a compromise or crisis. While this situation has certainly has improved in the past 10 years, it has a long way to go. In that time, I've been trying to find a way to simply imply all of these problems, and I think I have finally found the answer in Newton. Thanks, Isaac!

The Jesus Principle of Intrusions: Seek, and ye shall find.
The past 8 months have been a watershed for me professionally, insofar as Incident Response is concerned. Through all of the digital trauma witnessed, most of which I cannot discuss here, I have come to conclude that the only reason any security analyst is not working on IR at any given time is simply because he or she has not found the security breach, not because there are no intrusions happening on the network. For a brief period of time, perhaps in 2004, the good guys had the advantage - finally. That has been marked ever since with a dramatic reversal. Our adversaries are far more skilled than in the late 90's and 2000's when the world first began to sincerely appreciate the problems of poor information security. Fortunately, we are too, but I feel the gap is just as large, if not bigger. They have new tools. We have the same old tools, in new, shiny packaging and perhaps an easier GUI. The result has been the constant compromise, to one degree or another, for a variety of reasons, of nearly every network of any significant size.

As 2007 rapidly approaches, I feel next year we as a society will begin to feel the repercussions of the security problems facing IT in a very different and much more serious way: in terms of national security of industrialized countries, the financial stability of big companies suffering from widespread, difficult-to-identify compromises, and measurable economic impact stemming from this and the large number of identity thefts happening recently. We've already seen the beginnings of this - media reports of foreign nation-states targeting military and contractor computer networks, Choicepoint facing major problems as the result of its breach, and the recent revelation that 50 million US citizens have had their identities stolen. I feel a failure to properly address this as a society (or the industry's failure to effectively warn of it) will lead to serious consequences in 2007. Perhaps by the end of the year, after enough problems have surfaced, we will begin to debate reform and change perceptions. I think 2007 is the year to turn this corner, but only because of the large problems we will face that have long been predicted by security pundits.

As much as I hate to be a doom-sayer, my eyes were opened in 2006 to many of these problems simmering just below the surface. In a silver lining moment, I will say this: The worst that can happen is that we as a country continue to turn a blind eye to economic and national security problems related to Information Security, allowing them to undermine our economic well-being and defense posture. A watershed moment is just what we need, but it will be a painful path to walk when it comes.

No comments: