Thursday, June 02, 2005

Profound Words from the Past and Present

I recently mentioned writings by Marcus Ranum on "deep packet inspection" and related topics. This morning while browsing the firewall-wizards list I read a profound post by MJR. Here is the most powerful part:

"Basically, what's going on is that a lot of security practitioners are in the position of being asked to make something safe that is fundamentally dangerous. So we hide behind the notion of 'risk management' - basically the illusion that 'if we try hard to cover our butts it's less dangerous than otherwise.'

What that has accomplished is to create an environment in which security has NO CHOICE but to compromise because senior execs know that if they don't get the answer they want out of one security practitioner, they can keep asking until they get the answer they want out of another...

My feeling is that during the 90's we, as an industry, dug ourselves into a hole we're not going to be able to spend or risk manage our way out of. We did that by trying to deal with the 'real world' instead of demanding excellence, good design, and wise leadership."

Wow. That statement really made me question my role in the security industry and whether my contribution has been worthwhile.

For a sign that nothing has really changed in security, check out this thread from February 1998. It followed the release of a ground-breaking paper by Tom Ptacek and Tim Newsham. This seven-year-old thread is as applicable to the IDS vs "IPS" argument as any I've seen recently.

5 comments:

Jim Voorhees said...

It may be true that "Plus ca change..." in security, as you and Marcus Ranum suggest. But the nature of the Internet has been changing dramatically in the last decade. So have the requirements for security.

Remember that access to the Internet was once confined to a small number of like-minded people, mostly Americans in academia and government. It is now open to everyone, with an endless variety of expectations for the Internet, and an endless variety of approaches to it.

By analogy, the Internet was a small town. It has become New York. We didn't need to lock our doors before, now we do. We could safely walk anywhere, anytime. We now must be more careful.

And the changes continue. For one thing, the nature of the bad guys is changing. Instead of solo bandits, they are forming gangs and, perhaps, larger, more institutional agglomerations.

In this environment, is it surprising that things seem to be getting worse?

Anonymous said...

Be careful what you wish for. Poor design and smart hackers keep us security folks employed.

Martin said...

Fundementally, the Internet really hasn't changed all that much since it's inception. It has become more complex, the specific technolgies have changed and the amount of traffic has increased a thousand fold. But the underlying concepts haven't changed much.

To continue with your city analogy, yes, you need to lock your door at night now, but you still live in a house. The fundementals haven't changed, but the increase in population has caused you to be exposed to a larger number of vulnerabilities.

I could be wrong, but I'd be willing to hazard a guess that, overall, a particular system is better protected now than it was 10 years ago. On the other hand, there are just so many more people out there trying to break into the system that it's also much more likely to be compromised now than then.

Anonymous said...

The real world is about risk management and that applies equally to security. Just because something is insecure doesn't mean it doesn't deliver value. Just because a security practitioner knows how to knock out one risk, doesn't mean he can make the entire process totally secure, so it may simply not be worth the effort.

For some reason obscure to me at least, Internet security grew up with an expectation of no risks. As this isn't a realistic option - there are always risks - many Internet security people spent and continue to spend a lot of brain cycles crafting cunning mental pictures and logic to make the world look like as if it were no-risk.

So when they come up against risks and risk decisions in the flesh, they have to create exceptions and simplifications. Classically, "insider threats" are assumed to not exist, and only hacker threats exist, even though insider losses and events generally outweigh external events. As they build more and more badly assumed exceptions, their mental framework becomes more and more unsuitable to deal with newer and more complex risks.

When a manager chooses to not close out a security hole that the security consultant knows how to close, this manager then must be wrong, a priori, in the minds of the consultant. It's really difficult to get past this point, until some sort of epiphany is reached and risk analysis becomes routine.

IMHO! Iang...

http://www.internetperils.com/risk.php

Richard Bejtlich said...

Thanks for the link to InternetPerils.com!