Infectious Thoughts

• Home
• About
• Blog

Information Security - The Vicious Cycle

Sun 29 Mar 2015

The Security Industry

Let's take a moment to reflect on the Industry that has been created around Information Security.

Growing threats continue to plague our digital existence:

• Bad Actors
  • Pranksters, DDoS'ers, and Defacers
  • Industrial Espionage
  • Self-Inflicted Data Leaks
  • Organized Crime
  • State Sponsored Blackhats
  • Government Interference and Backdoors
  • Terrorists

In response to these threats, we have a number of different solutions available.

• Security Appliances and Software:

  • Network Firewalls
  • WebApplication Firewalls
  • Intrusion Detection/Prevention
  • Mobile Device Management
  • Data Loss Prevention devices
  • Network Security Monitors
  • VPN Terminators
  • SIEMs
  • AntiMalware
  • AdBlockers

• Security Services:

  • Penetration Testing
  • Application Testing
  • Physical Penetration Testing
  • Social Engineering Assessments
  • Vulnerability Assessments
  • Managed Security Services
  • Regulatory Compliance Audits

After all these different products, services, and regulations, where are we?

* Automotive:

• A recent Senate report reveals that there is a clear lack of appropriate security measures to protect drivers against hackers

* Financial Services:

• Kaspersky just released a detailed report on Carbanak, a major criminal campaign on financial institutions world wide.

* Healthcare payers and providers:

• Last year's data breach of Community Health Systems
• Insurance company Anthem BlueCross announces its data breach

* Power and Utilities:

Incidents detected by power and utilities respondents skyrocketed in 2014, with compromises attributed to sophisticated adversaries like foreign nation-states and organized crime showing the highest year-over-year growth. Attrition in critical strategies, processes, and personnel skills, as well as erosion in fundamental cybersecurity initiatives, may further intensify risks.

* Retail and Consumer:

Respondents detected 19% more security incidents in 2014, including several very high-profile retail data compromises. Despite the publicity, information security budgets declined over 2013. We also found shortcomings in data governance, increasing threats from third parties and insiders, and a lagging commitment to key strategic security practices.

The list continues to grow:

• Sony
• Target
• K-mart
• Staples
• Home Depot
• Goodwill
• UPS
• Albertsons
• Michaels
• Sally Beauty and more...

* Technology:

Major open-source technologies that make up the fabric of the internet have been drawn into the limelight as Security Vulnerabilities started taking on named personifications:

• OpenSSL: HeartBleed, POODLE, FREAK, Bar Mitzvah
• Bash: ShellShock
• GlibC: GHOST

Further, you need only look to Packet Storm Security to see the long list of vulnerabilities found in major software products, including those Security Solutions designed to protect from security attacks.

Misplaced Spending

Lenny Zeltser did a great job at summing up the Worrisome state of the Information Security Industry

• Security tools don’t cater to our needs.
• Security vendors misrepresent their products’ capabilities.
• Security professionals preach security to those who already recognize its importance.
• Security spending is allocated without regard for risks or business needs.
• Organizations are stuck in the Plan-Do-Check-Act cycle of bureaucratic security programs.
• Security assessments are scoped without reflecting real-world threat scenarios.

Conflicting Priorities

The Security Industry has become imbalanced and lost in its own maelstrom of self perpetuation and justification.

It has become apparent that this approach is an unwinnable game of wack-a-mole.

Trends toward tighter deadlines, continuous integration, faster deployments, more data-mining, and less obstacles for users to click-through are in competition with priorities meant to ensure stability, provide security, and enable accountability; all of which -slow down- the machine.

Investments gravitate toward "turn-key" solutions and contractual services that can serve to check a box, or plug a hole.

Breach remediation may even take a turn toward being counted as the cost of doing buisness.

Worldwide Security and Vulnerability Management has been valued at an estimated 5.7 Billion dollar market

Researchers flock to Penetration Testing, and Vulnerability discovery, where the notoriety and money are. The payout from Pwn2Own recently topped $440,000.00 for 21 critical bugs found in all major web browsers.

Bug bounty programs are seemingly everywhere.

Yet, where are the competitions for designing fault tolerant software and products in the first place? We have gladiator-like events encouraging the brightest minds in the field to break software.

Where are the contests and incentives encouraging these same bright minds in the industry to build fortified software that the world can benefit from???

Sure, you can break it... but can you build it!?

The real investment we need is: quality. Higher quality products, higher quality behaviors, processes, and procedures; Things that can be difficult for businesses to justify when the clock is ticking and time is working against them.

Just as TProphet has recently suggested, It's time to do Infosec Differently. The serious conversations need to start now.

Whether you manufacture Firewalls, or Automobiles, no vendor is immune to the bad habits and mistakes that are at the core of these security holes.

SuperNova of the Internet of Things

The next revolution is before us. It presents a distinct opportunity for major evolution, or catastrophic failure in our existing fragile infrastructure.

So much of the complexities of the world around us is hidden from view. Many every day devices and services rely on the obscurity of their design to protect from tampering.

We've already begun interconnecting these devices, it hasn't taken long to discover the magnitude for potential disaster.

• Gas Pumps have been found connected and exposed to the raw internet
• Wireless medical devices have been called into question over security concerns.
• Aircraft hacking demonstrations have become en vogue.

These flaws stem from the imperfection of human nature and to combat them will require a change in behavior that breaks the cycle; continuing to try to thwart these vulnerabilities with more products will only serve to make the attack surface area larger.

We need to strive for better harmony between builders and breakers; security literally hangs in the balance.

-Enigma

Copyright Infectious Thoughts