Wednesday, July 11, 2012

Vampiric Security - Dead and Still Kicking

In my posting How Hacker Targets Become Victims on the InfusionPoints blog site, I implied a little secret about the information security industry regarding the tools that we've come to believe are absolutely necessary. They are not as effective as you typically think they are. In fact, many are slowly sucking us dry without providing much valued in return.

I started really understanding the effectiveness problem when working with a client IT manager. Despite having current anti-virus software on all of the machines in his organization, he routinely dealt with virus infections, often by wiping the computer operating system clean and installing it anew. He asked me to look into why his software wasn't working like he had expected.

When I researched the problem, I was startled by the results. Leading anti-virus vendors typically report virus effectiveness ratings of between 95% and 99%. However, those ratings represent a historical effectiveness on all known viruses and malware. When I was doing my research a few years ago, studies at the time showed that the effectiveness ratings for malware "in the wild," or actually active, were closer to 30%.

I dug further. I found instances where other classes of security software and hardware suffered similar troubles with effectiveness. Firewalls were blocking fewer actual attacks, intrusion detection systems were unable to cut through the network noise to identify the attacks, and login systems were getting undermined. Eight years ago at the RSA Security Conference, I proposed in a lecture that we give up on traditional "perimeter" technologies because they were no longer effective at providing security. Perhaps I wasn't so far off-base…just a bit ahead of my time.

It all points to what I refer to as a "problem of imagination." Current security controls are based on what we know and have a very limited ability to adjust to what we don't know. This may have been fine when networks were slower and hackers took more time to develop effective exploits, but the modern hacker is better, quicker, and more clever than her predecessor. Not only can she design an attack that effectively defeats those controls, she can often adapt faster than we can collectively respond.

The Man-in-the-Middle attack that I've been writing about recently is a great example of this. A bank can use the best login routines, provide one-time passwords, encrypt the traffic, check that the users computer is authorized to connect, and none of it matters once the malware is installed. No matter how good the technology, the modern hacker can beat it.

It's our focus on technology that is the core problem. Purchasing IT products doesn't necessarily reflect building a solution. In fact, the more products that we string together, the harder it is to secure them.

Rather than do things the same way as we always have, it's time to begin implementing a more innovative information security strategy that favors people and process a bit more over technology.

The first step is to de-emphasize end-point control and focus more on information control. We typically begin engagements by examining business processes to understand vulnerabilities in how information flows versus what devices it flows through. With this methodology, rather than trust the end-point user computer system that accesses the bank account, the bank should assume that the end-point is vulnerable and put controls in place that provide greater levels of assurance than the end-point can provide. For example, some financial institutions have implemented a secondary automated authentication control that leverages a mobile phone to confirm an attempt to transfer funds from a business banking account. This would force the hacker to gain control of two very different end-points, and increase her level of effort so much as to make the target unattractive.

The second step is to identify points where business processes intersect and determine what vulnerabilities may arise from those intersection points. In keeping with the financial management example, one such point may be where a financial manager receives information about an invoice that needs to be payed through the bank account system. If the information is received via email, then the vulnerability is that the financial manager will likely need access to email on the same system that handles banking activities. A potential corrective action would be to send banking information to a separate dedicated email account that cannot receive external email. Such an action would be fairly effective at preventing the malware infections that enable the Man-in-the-Middle attack.

The third step would be to prioritize the vulnerabilities and proceed to identify people, process, and/or technology controls that can mitigate them.

Technology is rarely the answer to solving hard problems. It merely represents something to distract yourself with to avoid those problems. What we need are innovative approaches that undermine the fear, uncertainty, and doubt that encourage us to spend without thinking and hope for the best. The modern hacker thrives on ignorance to attack us, and the product industry can leverage ignorance to suck our bank accounts dry, so arm yourself first with the knowledge you need to defend yourself and then get help when and where you need it.

This posting originally appeared on the InfusionPoints blog site on October 11, 2012.