Security - Stupid Is As Stupid Does

Sunday, June 12, 2011

J. Oquendo


Companies in the news for security breaches are now benefiting from their newly found hindsight via way of a lack of security point of view.

These views come at a highly expensive cost, and it should come as no surprise that many companies will continuously and gratuitously benefit from those views.

The reason I believe this is, is because companies just don't get it. At the cost of millions of dollars spent post-compromise, companies rush off to apply band-aids where sutures are needed.

Anyone with a connection to the Internet who has viewed any form of news site in recent weeks have come to know their names: RSA, Sony, Nintendo, L3, Northrop and the list goes on and on.

Where do these companies go wrong? With so much already being spent on security - firewalls, Intrusion Detection Systems, Intrusion 'Prevention' Systems, Intrusion 'Tolerance' Systems, Data Loss Prevention, *Certified Security Professionals*, standards, guidelines, and the list goes on - where and why are these companies failing?

The answer if you ask me, most companies and or security professionals quite simply do not care about the real world of risk. It is much simpler and economically viable in their minds to pass the buck by simply making sure they "followed the rules."

This means, they tend to establish a "baseline" for a security model usually based on guidelines such as NIST and others. We must bear in mind however, "By definition, following a guideline is never mandatory..." [1].

In a "tangible" world where a product is purchased, a buyer physically touches a product, whenever that product has an issue, companies responsible usually issue recalls. This was the case with Toyota whose cars were recalled because they were faulty. On the Internet however, there is little recourse for companies who are compromised.

Usually a small portion of those disaffected will mumble and groan and continue to use that product. This is definitely the case of companies like Citibank who was compromised recently [2] and Bank of America who continuously gets compromised quite often [3,4,5].

Unfortunately there is no immediate cure for security woes; however, there are real world mechanisms to minimize even reduce the risk to numbers not even mentioned in most guidelines and or certification books. The problem with these cures are, too many security managers and C-Level types truly don't care to implement them. It seems to be "wasted dollars" for security managers and C-Level types since they cannot measure ROIs on voodoo metrics.

You know those voodoo metrics well, they are usually cleverly scrawled across every security management level certification you could find: ALE = SLE x ARO or ROSI = R - ALE, where ALE = (R-E) + T. Too many security charlatans have flooded the security arena with this nonsense for too long.

Can we state that Citi, BofA, L3 and others never used these metrics? If they state that they did not, they would be hurting their reputation. We can infer that the outcome of these metrics are useless and this is as obvious a statement as "tomorrow is another day."

So how do does the security industry change this backwards approach to security while keeping costs low, and security measures high? Simple: Take a different approach to security as a whole.

In a recent case, [6] a judge ruled that a bank was not responsible for fraudulent transfers made from an account. In this case, both the bank and the customer lose; the bank loses a customer, the customer loses their money. Case closed. However, imagine if the bank had a validate policy in place where any transaction over N amount of dollars needed to be validated over the phone? Extrusion prevention. Customers would have likely been notified, and no transaction would have been allowed; bank wins, customer wins. The cost for something like this is far less than the cost associated with higher insurance premiums for the bank, loss of customer confidence and so on.

In other instances such as say the Sony compromise, the cost of securing that network would have been far less than the estimated $170 million [7] they dished out. The existing approach to security however would have still likely led to a compromise. This is because companies are looking at security as: "build a bigger wall, add a moat, throw sharks in the lake."

What they fail to see is that most of the existing attacks are not "coming through the front door." Many are client side attacks [8] where an attacker is leveraging a machine already inside of a network in order to burrow out a trusted network where the attacker can then control that machine. How do you defend against this? It is just as simple as defending from the other side of the "wall." You build mechanisms to inspect what is leaving your network. Disgustingly simple isn't it?

Ask any security manager or C-Level why they won't apply this and you are likely to be bombarded with a hodge-podge of voodoo metrics: SLE = EF x AV x CTM or ROI = ALE - (( ALE - (ALE - ALE2)) + T ) in other words, covering one's ass is far more important than actually getting the job done right. This is all that security has boiled down to. Those responsible for this mess are usually those who have never been "in the trenches" so they don't understand "paper security" versus "real world" security.

The cost of implementing extrusion detection and extrusion monitoring come far less than the cost of a compromise. That statement is mere common sense and I should not have to create any crafty metric or algorithm to prove this fact. Do you think I could have accomplished extrusion prevention, SIEM and so on at Sony for say $17 million for Sony? Darn right I could in fact, pricewise I could have likely come in under the $5 million mark, 300% lower than the cost of a compromise with greater ROI or ROSI (take your poisonous acronym pick) at the end of the day.

So when will security managers and C-Level professionals get a clue and do the right thing? My guess is they will not. It is likelier that they will continue to follow the herd [9] and paint fuzzy pie charts filled with wondrous metrics that yield little at the end of the day. Companies will still get compromised, few will grumble and moan and security will get back to business as usually as opposed to actually defending anything.

J. Oquendo
sil at infiltrated dot net  

Pac Man


Possibly Related Articles:
Information Security
Firewalls Network Security Security metrics Guidelines Standards IDS/IPS
Post Rating I Like this!
Teresa Hessler Unfortunately (for customers) you are absolutely correct in your assessment of this dysfunctional situation. It's a matter of lack of integrity and good business ethics (responsibility to the consumer and investor).

Until consumers and investors are educated in layman's terms and make compliance demands on these companies (via their wallets), there is little chance that positive change will take place.
Eric Cissorsky You're dead on with this. All too many times I have seen companies choose cost over effectiveness. IMHO this is caused by organizations focus on cost savings rather than effective solutions. Rewarding managers for saving money rather than making smarter purchasing decisions generally results in a conflict of interest; "Even thought his product isn't as good as the other it is cheaper which will give me a larger bonus at the end of the year." This mindset needs to be changed to "Regardless of price I am going to choose the better solution because I will be held responsible in the event of a security breach."

The addage "You get what you pay for." is very applicable here. In one case I was evaluating DLP products. The bakeoff resulted in two vendors being selected. The first, which was only there because of a relationship between the C level people at both the vendor and customer. Unfortunately this product did not work very well. I could even make a very strong case that it didn't work at all. The second vendors product performed amazingly well and aced all of our metrics.

When pricing info came in vendor B was almost $100,000 more than vendor A. Despite conclusive evidence showing vendor B was superior to vendor A in every single metric management still opted for vendor A based on price. I've seen a lot but this one really took the cake. Luckily I shouted loud enough and high enough to get vendor B selected but the fact that vendor A was even in the running defied logic and reason both. Seriously, does anyone think they are "saving" $100,000 by purchasing a product that does not deliver?

The bottom line is, until people are held personally responsible for their decisions this problem isn't going anywhere
JT Edwards The interesting question for me is are they (or we) drinking the Kool-aid? What I mean by this is how many of these organizations think this is really securing them and how many are simply doing it to CYA. When NSA comes out and says you can’t be hack proof you really got to start to rethink how you are doing things! I wonder how many companies out there assume they are secure until proven otherwise, versus the ones assuming they are not secure or at least they have vulnerabilities that WILL be exploited. One group probably sleeps better at night, but the latter is probably more secure.. Not something a CIO or CSO wants to tell the CEO. There is going to have to be a paradigm shift at the C-level. They are far to used to fixing problems with technology and then moving on. Security is far too complicated for that.
Mike Meikle I fully agree with the above commenter's statements but will add a few more discussion points.

Security practices that will actually make a significant difference are hard to implement and not sexy. So they get short shrift at senior management.

Asset and Patch Managemen, Executive supported policies with appropriate procedures, etc. I've mentioned these topics and more in the various articles I have posted to Infosec Island.

The CIO and CISO needs to market these concepts effectively to senior management and get their buy-in. Once that is done, they can be sufficiently funded and driven at the right level. CIOs and CISOs are not doing their job effectively on that front. So the organization's overall security posture will suffer and remain significantly more vulnerable.
J. Oquendo I think the most humorous and puzzling things I am coming across when I read about compromises is that, BCP slash DRM are not only ineffective but not even being implemented by some of these companies.

Take Sony for instance the outage lasted how long? Or what about RSA? It should have been: "business as usual" after the breach in the sense that they could have swapped their servers into hot-standby in order to keep the business running while they did their analysis. On the same token though, those replicated machines would have become compromised as they also likely had gaping holes.

Seriously though,What happened to some of these companies' BCP/DRM strategies. Goes to show that not only is security ignored, but BCP/DRM is also ignored. I think ANY C-Level responsible for security should be put through the technical grinder and have to actually learn IT in PRACTICE before being allowed to make decisions. Otherwise, same old - same old - follow the herd.
Mike Meikle Mr. Oquendo,

Disaster Recovery and Business Continuity. Way too many of my clients or their strategic vendors have not had either. I cannot even wrap my mind around that concept. If I was CIO or CISO, I would be having a spasm if my organization was so unprepared.

The three most common examples of DR or BCP diaster I find are:

We Don't Have a DR Plan or BCP. It's Too Expensive and Don't We Do Tape Backups?

We Have a DR Plan and a BCP Plan! It Hasn't Been Updated in Three Years and Was Never Tested. It Also Includes a Helicopter That the CIO will Fly Around in to Coordinate the Disaster Response (true story).

We Have a Mostly Complete DR Plan That Has Been Partially Tested. What is a BCP?

Once again, unsexy processes or initiatives just don't get the attention they need because the CIO or CISO don't make them a priority. If they don't sell these concepts effectively to Senior Management, then they don't get addressed. Ergo, the CIO and CISO are not doing their jobs, period.
J. Oquendo Now the question remains or should I say should be re-asked: How do we fix the broken wheels of security. The sad reality of the outcome is, its insanely cheaper to do it the right way as opposed to waiting for the walls to come crumbling down.
Mike Meikle Well, in my view, CIOs and CISOs need to be more business savvy. It's great they know the finer details of IP addresses, firewall configs and javascript. But what the in-the-trenches IT pros who are under them need is someone who can speak on their behalf. These folks need to be able to communicate these hard yet necessary initiatives (DR, BCP, Asset Management) to the executives in terms they truly understand. Terms such as profit, loss, risk mitigation, public relations impact, customer retention etc. They also need to be able to work with the Board of Directors as well.

I know it's hard for technologists to give up geeking-out on the latest tech for the organization, but that's why you have top notch employees who help you. Unfortunately IT has been historically terrible at communicating it's needs and concerns. It needs to do a far better job. If not, the basic foundational processes that a secure environment relies on will go unanswered until the inevitable hack. Then there will be a flurry of activity, a few band-aids will be applied and it will be back to talking about how cool our Data Center is and look at all the VM's we have!

IT Leadership is critical and it needs to know how to communicate and defend the important concepts and get the necessary business investment.
J. Oquendo I agree with the statement that "geeks" need to communicate more however, I also know from experience, this was a huge issue in the past. We have come a long way from speaking technobabble to our managers to creating analogies to help them "get it." I think its a two way street here. See from the techie side, I can speak on what needs to be done, but I also understand the business roles from far too many CISM/CISSP/CGEIT/ITIL reading and studying. As a techie, I "get it" from their perspective that they need to conform to budgets and meet obligations to "the moneybags."

This is the actual problem though, no one wants to speak out about what is really needed. If I were a shareholder, I would rather take say a .02 per share loss on security expenses versus say a .20 per share loss from a compromise.

Shareholders and those with a vested financial interest understand these risks and I'm almost willing to bet anything, they'd respect a "secure" perspective at a slightly lower gain versus losing even more from turning the other cheek
Mike Meikle That's were the CIO really needs to be plugged into the Board of Directors. From there he/she can communicate the organizational risk and their impact if realized. This is where the decision could be made about shareholder value in relation to infosec expenditures.

I recently did a webinar on the topic of Risk Management for CIOs that covered how to communicate these issues to the Board. The problem with a lot of organizations is the CIO is still sitting at the kids table and doesn't have the authority to work directly with the Board. All of the CIO input is filtered through the CEO/CFO before it gets to the BoD.

But like you stated it's all about communication, packaging the information and getting it out effectively to the leadership and the shareholders.
Lucian Andrei Nice article. I completely agree with it.
According to my personal experience, and to what I have read in last months, I believe that all the security leaders must follow some form of offensive security training. I think that most of them understand how a compromise can take place, but they don't understand how easy it is to do it. Because of this they are putting the money in the wrong place.
Also, I think that in security a warrior mentality is needed. Policy correctness is not working, you must be a pit-bull. Some security leaders consider themselves at marathon: “We are doing better than X or Y. We have SIEM, policies, IDS....”. In reality we are at war, and the enemy is getting better and better.
I already said somewhere that because the lack of initiative, because of the ignorance, and maybe because of the internal policies some companies are like Poland at the beginning of the WWII. The Germans attacked them with tanks and they replied with light artillery and with cavalry. Worst, in the same time with the Germans they were attacked by the Russians.
Imagine being attacked from two sides at the same time. How you defend yourself? Who and where is the enemy?
You are dead in hours, even before you knew it.
Afzal Khan All of the above are great comments and analysis. But comments like these are not really new or uncommon. Take the scenario - the CIO, the CEO and the Board "get it". Now my question would be - what's your solution(s) for a proper protection (not BCP/DR)? Not asking for details. May be in three short sentences. Thanks.
Mike Meikle Mr. Khan,

Well if that was the case, here are my recommendations.

1. Pick an IT framework (ITCMF, CoBIT, etc.) and implement it fully. Senior management must support it aggressively.

2. Establish a Enterprise Risk Management Practice that aligns both corporate and IT governance. No silos.

3. With the data gathered from Risk Management use it to address effectively address security risks.

Of course there is a lot more to it than those three, but I wanted to keep it short.
J. Oquendo @Afzal: Allow your technical staff to get the job done right by giving them the freedom and trust to implement correct solutions. These solutions may not conform to "pie chart and Gartner slash Forrester points of view", but you hired us for a reason, for our expertise.

Those would be my sentences with a hint of sarcasm slash humor. (Unsure why, it's a habit)
Afzal Khan Appreciate it, thank you! :)
Chris Blask @J - Nice article. The content is good, but the title is stellar. :~)
J. Oquendo @Chris, the hardest part when writing an article for me is actually the title ;) I ALWAYS try to make it stand out as I believe the shock will cause 1) people to read it 2) cause people to remember it. Nevertheless, when writing this one, it was the first thing that came to mind
Johnny Wong @J. Bravo! You hit the nail on some of the issues I face. I liked the business-based approach because without the business, there's no IT; don't even need to mention security.

It seemed so natural for security folks sometimes to embark on a vulnerability-based approach i.e. seek to fix ALL vulnerabilities; without understanding what the threats are, and what motivates these threats to do bad things. Attacks can still happen when you fix all issues; even up to the lowest risk score ones.

So what should we do differently? I think... UNDERSTAND THE BUSINESS ... seek to understand what's in it for them, what hits them most when it matters, what's at stake for them... then work from there. Like the extrusion piece, that demonstrates how well you know the business, how to limit damages, how NOT to lose customers.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.