System Advancements at the Monastery

“How many legs does a dog have if you call the tail a leg? Four. Calling a tail a leg doesn’t make it a leg.” — Abraham Lincoln

SANS maintains the @RISK bulletins, which summarizing the most important vulnerabilities and exploits identified during the past week. Today, I was looking at the summary of updates and vulnerabilities and rather than seeing the individual vulnerabilities, I saw just the numbers. Look at these numbers since the beginning of the year:

What you should notice is the pattern where the largest number of important vulnerabilities and exploits are occurring.

NIST defines a vulnerability as, “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” There are alot of web centric vulnerabilities in the above table. NIST publication SP 800-30: Risk Management Guide for Information Technology Systems defines risk as:

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

Maybe the years I have spent in security are making me cynical, but it seems that management tends to spend too much time looking back. They never realize the risks that are developing due to a changing environment. They want to fight the last war. History is littered with the disastrous results of those who followed that path. One of the most famous is provided by France in the aftermath of World War I. France adopted all these fortifications to prevent the Germans from repeating the August 1914 invasion that resulted in four years of bloody trench warfare. So the German generals developed the blitzkrieg, which was a new and terribly effective form of lightning fast warfare that simply went around and over the Maginot Line. If history teaches us anything, it is that only looking to yesterday’s method of attack is a losing defense. How much effort in your organization is going to address the various areas of vulnerability listed in the table above? It is definitely a different vulnerability listing than what we would have had in 2005. Not radically different, but changing.

Please do not misunderstand, you have to cover the tried and true. We are all familiar with the Gartner research report declaring intrusion detection system (IDS) technology had gone beyond the “peak of inflated expectations,” was rapidly sliding toward the “trough of disillusionment,” and would be obsolete by 2005. What I am saying is that companies that believe that today’s security technologies and practices will keep their corporate assets safe and secure while they sit back and relax, are as mistaken as Gartner was about IDS.

The IT Governance Institute (ITGI) released the IT governance Global Status Report-2008. The report describes its purpose as “From July until October 2007 a survey reaching members of the C-suite was conducted to determine their sense of priority and actions, as well as tools and services needed, relative to IT governance, as well as their need for tools and services to help ensure effective IT governance.” It is an interesting report. The key findings from a security point of view is that members of the C-suite feel that security issues are not as serious as they were in 2005. The reason security issues are not perceived as the most significant problem anymore is because the respondents feel the situation surrounding the problems has improved.

Now, companies are doing much more in general to deal with security issues. IT governance and standards help organizations govern their IT resources. It is important to realize that some vulnerabilities are being addressed much better than others. Do we need to be more concern about the “other” vulnerabilities, especially since the “other” vulnerabilities tend to be in new technologies? From SANS Risk bulletin, the vulnerabilities most organizations are not addressing are occurring at a faster rate. Our defenses are not strong and hackers are an agile lot. They are adjusting. As the role of IT within a corporation increases, the potential resulting impact of an incident increases. Hacking is transitioning to a capitalistic model with financial rewards, and serious threats are developing. Are companies at less risk now then they were in 2005?

Christofer Hoff, Chief Security Strategist, Architect, and CISO at Unisys did a series of posts on “Security and Disruptive Innovation.” The posts were from a keynote Chris gave at the Information Security Decisions conference. Chris did a great job addressing problems folks within the security community are facing. The keynote highlighted several areas of emerging and disruptive technologies, addressing how these technologies should be “embraced, addressed, and integrated into the security portfolios and strategic dashboards of all forward looking, business-aligned risk managers.”

Galileo once said, “All truths are easy to understand once they are discovered; …the authority of a thousand is not worth the humble reasoning of a single individual.” I think there is a reason that many true geniuses, like Emilie du Chatele, seem to operate outside of the established doctrines of thoughts. Emilie was certainly outside of the Jesuits controlled French education system. And we have all heard the stories of how Reverend G. B. Engle found a seven year old students to be too inquisitive, so he whipped him every time he asked a question. The good reverend also belittled Thomas Alva Edison, calling him “addled.” When Nancy Edison, brought her son back the next day to discuss the situation with Reverend Engle, the reverend made her so angry with his rigid ways that she withdrew her son from the school. Fortunately Edison’s inquisitive mind was not beaten into submission.

I do not advocate basing one’s security on untrusted methodologies. That would be irresponsible business. We can all agree, despite what the last salesperson might have said, that there are no absolute security solutions. Businesses need to base their security on what is proven to work. IT Governance and standards provide a solid framework to build upon. My argument is against this complacency that seems to be setting in. Does compliance brings about complacency? Matthew Lewis wrote an excelent paper, “IT Security and the Curse of Complacency,” where he discusses “the ‘curse’ of complacency in this regard, and the pitfalls associated with perceiving security as a selfdeprecating function, as opposed to the ongoing process.” Security is a journey, not a destination. Businesses need to allow room for innovative thoughts and solutions, such as gentic fuzzing, Spatial-Temporal Correlation and Similarity, Aspect-Oriented Programming (AOP), etc.” I have no idea if these new approaches are viable solutions, but I know we need to be listening. We need to question how we are addressing, not just today’s way of doing security, but the impact that disruptive innovation will have on the security of our business.

The ITGI report does state that while the respondents felt that security issues have improved, they believe these issues have priority; taking precedence over staffing and service delivery issues, which are at the top of the Compound Problem Index (CPI). While their outlook might be a tad optimistic, due to their stylish rose colored glasses, the C-suites say they are listening. Maybe we can all learn something from the three year old Uno, who became the first of his breed to win best in show at the Westminster Kennel Club Dog Show. He is an inspiration to all of us who feel out gunned and are tasked with accomplishing something that have never been done before. Security professionals and C-suites only have to deal with hackers, auditors, stockholders, etc., but never poodles. I for one, am glad about that. My white hat is off to Uno who proved how much can change in three years. There is hope for us all.