Is Your Investment In Security Really Worth It? Article by Tony Bradley at forbes/sites/tonybradley/2013/08/20/is-your-investment-in-security-really-worth-it/ Read the article and the SAGESecured Perspective (SP) How much money has your company paid for computer and network security over the years? Hopefully it has provided some relative peace of mind, and protected you from the multitude of threats out there. However, recent cyber espionage attacks raise some questions about just how effective your security really is, and whether or not the security vendors are actually able to provide the protection they claim to be selling. No security solution is perfect, and security vendors in general are in a constant race with malware developers and cyber criminals. There will always be an attack that gets through somewhere, and you shouldn’t expect to find any “silver bullet” impenetrable security solution. If any vendor promises you such a thing, run. SAGEFirst Perspective: Very seldom have truer words been written. Given enough time and attention all security can be thwarted. However, when a new threat emerges there is an expectation that the security tools you have in place will detect the suspicious or malicious activity and prevent it. If nothing else, the security vendor will identify the new threat and develop the signature necessary to detect it so you can sleep easy. SP: There really is no reason to expect conventional best practices to detect or prevent anything. All that can be said about conventional security is that it is an aftermarket, afterthought. When it comes to the latest breed of sophisticated cyber espionage threats, though, that doesn’t seem to be the case. The evolution myth The commonly-held perception is that the malware threat has evolved over time. Going back to the LoveLetter virus in 2000, and on through Code Red, Nimda, and SQL Slammer in early 2003, malware was developed either by hobbyists just trying to see what could be done with malware, or script-kiddies seeking instant notoriety in underground communities. Eventually, malware developers decided to test the moral and ethical boundaries of what can be done with an exploit. Rather than just shutting down your computer, or crippling your network, attackers could capture sensitive data, or access your banking and financial information. Money, rather than fame, became a primary motivator. SP: Whatever the motivation, worms, viruses, Trojan horses and similar exploits that involve the surreptitious loading and execution of arbitrary code…past, present and future can be permanently eliminated. The lure of money raised the bar, and rogue punk cyber criminals were replaced with well-funded, organized, and efficient teams of professional cyber criminals. The attacks became more polished and refined. Massive botnets comprised of millions of compromised PCs were used to generate billions of spam and phishing emails to sap money from vulnerable and/or gullible users. SP: Botnets only exist because of a design flaw common to all architectures of all operating systems. This design flaw has been carried forward uncritically since the earliest days of personal computers. That mistake involves the way access to system resources are allocated. The mistake is that people are authorized and authenticated to access when instead it should be the applications that have such authorization. Those attacks still cast a fairly wide net, though. In recent years we began to see a shift to precision attacks—“spear phishing” instead of “phishing”. Cyber criminals upped their game and found that it was often more lucrative to fly under the radar and catch one big fish than it was to attack the whole Internet in search of guppies. SP: Even with the proper allocation of access to system resources social engineering via phishing will continue to be a problem. Then came cyber espionage. Suddenly we have Operation Aurora, and Operation Night Dragon, and Stuxnet, Duqu, Flame, Gauss, and other threats being discovered. These cyber espionage threats are similar to other precision attacks, but seem like less of a concern to average businesses and consumers because the targets are high-profile companies like defense contractors, or enemy nations. SP: To the extent exploits rely on the surreptitious loading and execution of arbitrary code…they can be prevented. Faulty logic There are two major problems with the commonly-held perception of how malware has evolved. First, as researchers dig into the cyber espionage attacks and trace their roots, we’re learning that these threats are not new at all. They don’t fit nicely into the timeline, because chronologically they actually date back to 2007 or earlier, and occurred in parallel with the earlier cyber crime eras. SP: This suggests that either security people are slow learners or are satisfied with the status quo. The second flaw in logic is that these attacks don’t pose any risk to average businesses or consumers. Yes, the original targets of these complex, sophisticated attacks were military contractors and nation-states, but once the threat is discovered it becomes public domain. SP: Attacks are going to continue as long as access to system resources continues to be allocated to and by people instead of where it needs to be by the applications that owners of devices want to have run. Cyber criminals can then reverse-engineer the attack, and adapt the innovations and attack techniques used for their own purposes. Case in point: Duqu is no longer considered a threat from a cyber espionage perspective, but one of the modular exploits from Duqu was still being detected as one of the most pervasive active attacks just a couple months ago. Your security vendor has some explaining to do So, what’s broken? How is it that all of the firewalls, intrusion detection and prevention, network monitoring and logging, and anti-malware tools in existence were apparently unable to detect a cyber threat running in the background for years? SP: The answer to that question is simple; aftermarket, afterthought add-ons masquerading as security are dealing with symptoms instead of the actual cause….which is that access to system resources is being incorrectly allocated. I posed the question to security vendors and security experts, and what I learned is that it’s not as simple—not as black and white of an issue—as I’d like to paint it. “Yes, security as it is practiced today in many organizations is broken,” confessed Wolfgang Kandek, CTO of Qualys. “Perimeter defenses (“hard shell, soft center”) and signature-based malware programs have lost much of their effectiveness over the last few years.” SP: Perimeter guarding is not empirically very useful. Kandek says that the rise of mobility has obliterated the “perimeter”, and that attackers have invested heavily in building a malware development infrastructure capable of cranking out new malware variants so quickly that each one is essentially a unique, custom attack. SP: Polymorphic exploits still abuse the same flaw in the basic architecture. Until that flaw of how access to system resources is corrected there is no reasonable expectation to prevent the surreptitious loading and execution of arbitrary code.
Posted on: Sat, 24 Aug 2013 23:56:17 +0000
Trending Topics
Recently Viewed Topics
© 2015