The current state of the computer security threat landscape, it has been said, is a new cold war. I feel, regardless of how deeply this anecdote holds, that lessons can be learned from it. Let's accept the cold war metaphor as an axiom for the moment.
It is widely agreed that the cold war between the United States and Soviet Union was decided by economics - quite simply, the US outspent the USSR. In an effort to keep up with American defense spending, the Soviets sent their economy into collapse. If we follow this lesson through our anecdote, the problem of security boils down to one of economics, not complete security. Slowly, the truth that no computer system or network can be perfectly secured is being accepted by decision makers. Thus, the goal of computer security becomes to make the cost of compromise higher than some other alternative. In a necessary divergence from a comparison to the 20th century cold war, and making the economics of computer security more difficult, we must understand that there is no terminal state. There is no Soviet Union to collapse, relaxing the obligation of net defenders. There will always be some entity with a computer and an ambiguous moral compass.
Economic efficiency therefore becomes the ultimate goal of security - to not just defend, but defend in the cheapest possible way, so the most robust defenses can be erected and the prospect of compromising a network becomes too expensive to warrant investment as the adversary considers options in achieving their various ends. Ideally, this makes the cost of achieving a goal more cost effective via moral and legal means. Most likely, though, it just moves the problem to another entity or altogether different domain.
Understanding the threat landscape of the environment to be defended, in this paradigm, is paramount. Adversaries that are looking to save money by sharing games, videos, or music (classically referred to as warez) can quickly and cheaply be driven out of profitability when you consider the cost of a DVD is around $25. Quite a bit more effort (money) is necessary to outspend the likes of scammers and organized crime syndicates. Once espionage - nation-states attempting to achieve multibillion-dollar generational jumps in their military technology - comes into the picture, it's easy to see that the costs become staggering.
Why, then, are we not condoning threat-appropriate strategies for different industries? The defense industrial base and DoD are starting to diverge as an entity from the rest of the world, but this is an exception. Our collective mindset needs to change, and we need to begin by educating other security professionals. Computer security defense intelligence is needed in every industry, to map the computer security needs of an organization to the economics of its adversaries. This is how security is achieved.
Showing posts with label education. Show all posts
Showing posts with label education. Show all posts
2008-04-06
2007-10-28
User Education is NOT (necessarily) the Answer
In the past few years, user education has been all the rage in the security industry. Today, we are quick to point out that one of the biggest computer vulnerabilities is actually not in the computer at all, but rather the mound of carbon and water exerting force normal to the surface of the keyboard. Unfortunately, this externalization of the security problem has become an excuse for the shortcomings of IT and information security just as frequently as it is the actual cause of compromise.
While the computer industries have largely failed at this important task until very recently, it is not the panacea that we are making it out to be. Anytime you hear about computer security failures, the response from "security experts" is always "patch and educate your users." This is important, but such a response trivializes the underlying complexities of computer systems and the persistence of the advanced and skilled adversary. Take the following example from Forbes discussing alleged security breaches at military contractors which quotes Allan Paller, director of SANS:
'More important than the elusive identity of hackers is the question of how to keep them at bay. Paller recommends that corporate security offices teach employees to be on the lookout for fraudulent e-mails. Companies could "inoculate" staff by occasionally spoofing phishing e-mails themselves and then alerting their victims, Paller suggests.'
It's a shame that someone as highly visible and regarded as Allan Paller would take the opportunity to presumably get a sound bite before using his contacts to understand the facts, if any, behind the article. Regardless, this is a perfect example of what I'm talking about. User education can only go so far, and is unlikely to thwart dedicated attackers. To follow this example through, what if the attacker in question includes a signature in the email with legitimate contact information? What if the name in the From: bar is someone the target knows? This information can be trivially forged, but it can also be just as trivially collected. Have you ever scrutinized emails that are "from" someone with whom you work, with their valid signature at the bottom, containing a Word document that seems to be topically relevant? Then why would your users? This goes further: adversaries can - and have - compromised real accounts which they then use to spread infected documents. So in some cases even legitimate email can't be trusted.
The bottom line is that user education is important. We all know it's important. But let's make sure this is the answer when it needs to be, and not given as a response action to any and every notion of computer compromise. Doing so will inevitably lead to an undermining of the industry's credibility if it isn't tempered.
While the computer industries have largely failed at this important task until very recently, it is not the panacea that we are making it out to be. Anytime you hear about computer security failures, the response from "security experts" is always "patch and educate your users." This is important, but such a response trivializes the underlying complexities of computer systems and the persistence of the advanced and skilled adversary. Take the following example from Forbes discussing alleged security breaches at military contractors which quotes Allan Paller, director of SANS:
'More important than the elusive identity of hackers is the question of how to keep them at bay. Paller recommends that corporate security offices teach employees to be on the lookout for fraudulent e-mails. Companies could "inoculate" staff by occasionally spoofing phishing e-mails themselves and then alerting their victims, Paller suggests.'
It's a shame that someone as highly visible and regarded as Allan Paller would take the opportunity to presumably get a sound bite before using his contacts to understand the facts, if any, behind the article. Regardless, this is a perfect example of what I'm talking about. User education can only go so far, and is unlikely to thwart dedicated attackers. To follow this example through, what if the attacker in question includes a signature in the email with legitimate contact information? What if the name in the From: bar is someone the target knows? This information can be trivially forged, but it can also be just as trivially collected. Have you ever scrutinized emails that are "from" someone with whom you work, with their valid signature at the bottom, containing a Word document that seems to be topically relevant? Then why would your users? This goes further: adversaries can - and have - compromised real accounts which they then use to spread infected documents. So in some cases even legitimate email can't be trusted.
The bottom line is that user education is important. We all know it's important. But let's make sure this is the answer when it needs to be, and not given as a response action to any and every notion of computer compromise. Doing so will inevitably lead to an undermining of the industry's credibility if it isn't tempered.
Subscribe to:
Posts (Atom)
