unsafe at any speed: 7 dirty secrets of the security industry

IBM Internet Security Systems

Unsafe at Any Speed:7 Dirty Secrets of the Security Industry

Joshua Corman

Principal Security Strategist

Interop Vegas | April 30, 2008

Overview

�Ralph Nader’s Unsafe at Any Speed

�“7” Dirty Secrets of the Security Industry

�Key security trends deserving your attention

�Practical ways to command intellectual honesty from your trusted security providers

�Discussion and Q&A

Acknowledgements

Other “Dirty Secrets” Sources

� Bruce Potter at DefCon 2007

- http://video.google.com/videoplay?docid=-4408250627226363306

� Rich Mogull’s “11 Truths We Hate to Admit”

- http://www.darkreading.com/document.asp?doc_id=144600

� Chris Hoff [and James McGovern] “Top 10 [20] Mistakes CIOs make”

- http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html

…and others who wish to remain nameless

The Obvious…

“But Josh…

…aren’t you part of the Security Industry?”

“Security is both a State and a Feeling”

-Bruce Schneier

“Security is both and Industry and a Sacred Trust”

-Joshua Corman

“security” vs “Security”

Unsafe at Any Speed - by Ralph Nader

�Published in 1965

�Challenged Automobile Safety

Chapter 1: The sporty Corvair

Chapter 2: Disaster deferred

Chapter 3: The second collision

Chapter 4: The power to pollute

Chapter 5: The engineers

Chapter 6: The stylists

Chapter 7: The traffic safety establishment

Chapter 8: The coming struggle for safety

� http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed

7* Dirty Secrets of the Security Industry

You don’t have to swim faster than the shark…

…only faster than your buddy…

Anyone here a Diver?

“7” Dirty Secrets of the Security Industry

#0 – Vendors do not need to be Ahead of the Threat

– they only need to be Ahead of the Buyer

#0 Ahead of the Threat – or Ahead of the Buyer

�Q: What is the GOAL of the Security Market?

�A: The goal of the Security Market is not to secure

- The goal of the Security Market is to make money

“Myth: Security companies are smarter than hackers

Reality: Security companies are smarter than customers”

Robert Graham - CTO - Errata Security

#1 – AV Certification Omissions

#1 – AV Certifications do not Test/Require Trojans

�Define “Definition”…

- This has been a game of semantics

�Anti-Virus Certifications only test for the detection of “Replicating MalCode”

- This means Viruses and Worms

- This does not include non-replicating MalCode

- This is Primarily the WildList / WildCore

- Over the years – this has become more egregious

- Trojans were once the minority

�Is this a big deal…?

�AV has a legacy of “Omission”…

They nearly DOUBLED the prior 21 years to >200,000

Trojans are now 75-80% of

the new MalCode

Source: sophos-security-report-jun06-srus.pdf

Jan - Feb 2008

1.1 MILLION unique samples

RansomwareRootkitDesigner

Malcode

PhishingBotSpywareSPAMTrojanWormVirus

Signature

Behavioral

Prevention

System

Content

Filtering

Spyware

� NOTE: This may change

� AMTSO is attempting to address AV Certifications

- ANTI-MALWARE TESTING STANDARDS ORGANIZATION

- http://www.amtso.org/

- Charter Meeting was in January of 2008

� Success will require scrutiny and accountability from YOU

- Their customers

- Vendors are financially motivated

� Will we Evolve? Or will History Repeat itself?

� “Quis custodiet ipsos custodes”- Juvenal, Satires, VI, 347

#2 – There is no Perimeter…

[aka “Santa Claus, the Easter Bunny, the Perimeter, and other fairy tales”]

�If you still believe in “The Perimeter”, you may as well believe in Santa Claus…

�Redefining the Perimeter

- The Endpoint is the Perimeter

- The User is the Perimeter

- The Business Process is the Perimeter

- The Data is the Perimeter

�The Jericho Forum

- http://www.opengroup.org/jericho/

“8. Network security is the result of a mistake, not an industry worth perpetuating.If it weren't for poor host security, insecure protocols, and no concept of data security besides the occasional encryption, we wouldn't need network security. It should be the goal of every security professional to make network security irrelevant. It will take generations, if it's even possible. But we should never forget that network security only exists because we've screwed up everything else. ”

Rich Mogull “11 Truths We Hate to Admit” http://www.darkreading.com/document.asp?doc_id=144600

#3 – Risk Management Threatens Vendors

�Vendors want you

focused on the trees, so

you will continue to miss

the forest.

�Your Risk Priorities may

not align with their

product offerings

�Untapped Resources:

- Education and Awareness

- Hardening Configurations

�Who has had a failed

security project?

#4 – Psst… There is more to Risk than

Weak Software

#4 – Psst… There is more to Risk than Weak Software

�The lion’s share of Security Market is focused on Software Vulnerabilities

- Research the Vulnerabilities

- Scan for the Vulnerabilities

- Shield the Vulnerabilities

- Patch the Vulnerabilities

- Report against the Vulnerabilities

�What if the software was PERFECT?

- Would we be secure?

#4 – Psst… There is more to Risk than Weak Software

The Hackers compromise 3 ways:

1. Weak Software

• Buffer Overflows

• OS/Application Vulnerabilities

2. Weak Configuration

• Default Configurations

• Weak Passwds

• Failure to Harden

3. Weak People

• Malicious CODE

• Social Engineering

• Insider Threat

The shift to Malicious CODE…

MalCode does not NEED vulnerabilities

An explosion of innovation in Malicious Code…

#5 – Compliance Threatens Security…

�NOTE: Compliance in and of itself is not a bad thing

- Compliance in and of itself is not a good thing

�Resource/Budget Conflict

- Split Focus

�Did Raising the Bar, lower it?

- Meeting Minimum Standards

- “Security by Compliance”

-John Pironti

�That which is easy to measure…

�Coach’s Secret Playbook?

�Your Security Blueprint?

Coach’s

TOP SECRETFootball Plays

#6 – Vendor Blind Spots Allowed for Storm

� Storm thrives in the “leper colony”

� Storm eats AV for breakfast

� Storm MalCode does not need Vulnerabilities

� Storm leverages outstanding social engineering

� Storm is Self-Defending and Resilient

� It has been over a year

- The Industry has still not evolved at the required rate

- nor in the required ways

� More on Storm Strategies:

- http://www.news.com/2324-12640_3-6230874.html?tag=podIndex

- http://www.forbes.com/home/technology/2007/10/29/zombies-cybercrime-viruses-tech-security-cx_ag_1030zombies.html

#7 – Security has grown well past

“Do it yourself”

#7 – Security has grown well past “Do it yourself”

“Technology without Strategy is Chaos”

�Who here has children?

- Car Seat Installation

� Let’s look at CoBIT

� Historically…

� Horizontal Issues

- Data Security

� Business Process

1. Cost

2. Complexity

3. Change Rates

COST COMPLEXITY

SIMPLIFICATION

Responsible? Or?

RESPONSIBLE SIMPLIFICATION

Thoughts

EVOLVING THREAT COMPLIANCE

AGILITY

Countermeasures

Thoughts

Rates of Change

Example: Network DLP

�Solves the Majority

�All Network Leaks

� “Stopping Stupid”

People

Process

Technology

Hot Topics and Trends

� Massive Security Market Convergence

- Impact of Choice

- Impact of Complexity

� Data Security vs Technology Security

� Server Virtualization

� Web 2.0 and SOA

� Security vs Information Risk Management

� Acceleration of Threat Evolution (3 Ps)

- Prestige

- Profit

- Politics

0) Vendors do not need to be Ahead of the Threat – they only need to be

Ahead of the Buyer

1) AV Certification Omissions

� No accountability for Trojans

� Not keeping pace with relevant Evolving Threats

2) There is no Perimeter… [or Santa Claus]

3) Risk Management Threatens Vendors

4) Psst… There is more to Risk than Weak Software

5) Compliance Threatens Security…

6) Vendor Blind Spots Allowed for Storm

7) Security has grown well past “Do it yourself”

Discussion

Thank youJoshua CormanPrincipal Security Strategist

jcorman@us.ibm.com

unsafe at any speed: 7 dirty secrets of the security industry

copyright ibm corporation

dirty secrets

intellectual honesty

attention practical

Business

top 10 dirty secrets in direct to garment printing

karma's dirty secrets memoir

the dirty little secrets of pinkwashing

dirty secrets - what’s hiding in your cleaning products

hidden gems and borrowers with dirty little secrets ... ·...

the six dirty secrets of tagging - prentiss...

wine myths, dark & dirty secrets of the wine industry, wine...

7 dirty little secrets

kinsey's dirty secrets

dirty little secrets: inferring fossil-fuel subsidies from...

dirty little secrets - sharon drew morgan

igniteamherst 2013 #02 sequestration's dirty secrets by jo...

the dirty secrets of coal cleaning: pollution and ... dirty...

cosmetic industry dirty secrets

dirty little secrets: 10 tips to great garden soil · dirty...

winston churchill vioxx conspiracy, and dirty little secrets

suits 1x04 dirty little secrets.720p hdtv.dimension.en

cities dirty needles, unsafe blood transfusions more sexual...

citron exposes the dirty secrets of j2 global (jcom)! ·...

the 7 dirty secrets of e-commerce marketing