Thursday, September 14, 2006

Say Goodbye Mr. Network Geek

I was intrigued by a recent blog post by Michael Farnum of An Information Security Place that laments yet another Microsoft vulnerability. Michael has decided to get out of his Infomation Security Manager role, and in my comment on his blog, I suggest we all do.

This led me to thinking a lot about security, and the "Three Legged Dog" of Confidentiality, Integrity and Availability. While these three "pillars" of information security must be understood and followed, the tasks within each of these practices have drastically changed in the last couple of years, and continues to do so at an alarming pace. While CIA defines the end goal, what we have really been doing lately is trying to stick our finger in a large dam that has already released its flood. We spend more time in defense of the corollary to CIA . . . DAD. We spend the majority of our time trying to prevent Disclosure, Alteration and Destruction. With almost 90% spent on Destruction.

Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining the information we want to protect, striking the correct balance between 100% usable and 100% secure, gaining an in-depth knowledge of our environment and our user communities, training our communities on what was important and what was critical.

Remember the backlash that ensued when Microsoft reported that it would pool vulnerability information and release security announcements and fixes on the second Tuesday of every month? The big worry at that time was that there would be many more zero-day vulnerabilities to worry about, and that vulnerabilities could arise without the installed base being aware - leading to another Code Red or Sasser worm outbreak.

While that was a valid concern and continues to be true, what we really missed was how this single event changed the landscape of the typical information security worker's job. It also was one of the most brilliant marketing ploys ever foisted upon the public. While 1 or 2 vulnerabilites used to generate a firestorm of complaints and meaningful news, 8 new vulnerabilities released on Black Tuesday barely registers a blip on true news sources. If you eliminate all of the pseudo news, like vendor security blogs and patch management companies hocking their wares, the news is fairly light. Unless, of course, someone finds the vulnerability before Tuesday, or the patch itself causes further problems.

What does this mean for us? It means that X number of vulnerabilities are announced every 20 working days. Adding to the problem is that applying these patches to production systems has been problematic sometimes, and multiply that by trying to figure out which vulnerability affects which system and the job becomes full-time + a lot of hours * X. And this is only ONE software vendor.

Which leads me to the point of this article: We spend far too much time running down vulnerabilities from hardware and software vendors, and not enough time creating secure environments, understanding business needs, and finding the true security holes. Furthermore, its very difficult to convice the executive teams that this is where the money should be spent.

Lets face it, software these days contains millions of lines of code, its impossible to create without bugs, easy to break, and completely unpredictable. We have to face the future . . . these millions of lines of code do not belong on individual instances of millions of servers and PCs. What is the future? Largely, your servers will be moved to the cloud, core data will be aggregated to service providers, and network guys will be relegated to the black boxes they originally came from. Think about it, bandwidth will become large and cheaply available, and most of these services can be outsourced (Virus, Spam, Patch Management, etc.)

If there is a way to give the end user a better computing experience, reduce the cost of maintenance, and maintain or improve security, what is to keep companies from adopting this en masse?


Technorati Tags:

2 comments:

Michael said...

"We spend far too much time running down vulnerabilities from hardware and software vendors, and not enough time creating secure environments, understanding business needs, and finding the true security holes. Furthermore, its very difficult to convice the executive teams that this is where the money should be spent."

Nice post Karn, you nailed it. I just have picked up on this on my blog in the past few weeks. The market is still stuck worrying about getting viruses in their email to think about being proactive and securing their information.

A paradigm shift is needed, and coming.

elamb to info security guru said...

We definitely need a more proactive way to look at security. More of "whitelist" and "graylists" and not just "blacklists".