Friday, May 04, 2007

Response to Bruce Schneier Wired Story

In Do We Really Need a Security Industry? Bruce Schneier writes:

The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.

Bruce is right if you confine yourself to thinking that "secure" is the same as "zero vulnerabilities." This is one-dimensional thinking and correct as long as you stay within that one dimension. As I defined in The Tao of Network Security Monitoring, security is the process of maintaining an acceptable level of risk. I defined (using the common method) risk as the product of threat, vulnerability, and asset value, or R = T X V X A.

When thinking of security within the context of risk (which is what Bruce should be doing), that means I could also say the following:

  • The primary reason the IT security industry exists is because IT products and services expose vulnerabilities.

  • The primary reason the IT security industry exists is because IT products and services are confronted by threats.

  • The primary reason the IT security industry exists is because IT products and services are valuable.


Therefore:

  • If the IT products we purchased didn't expose vulnerabilities out of the box, we wouldn't have to spend billions every year making them secure.

  • If the IT products we purchased weren't confronted by threats out of the box, we wouldn't have to spend billions every year making them secure.

  • If the IT products we purchased weren't valuable out of the box, we wouldn't have to spend billions every year making them secure.


Reducing any one of those three components to zero would eliminate risk. Bruce sounds like he wants to work on the vulnerability side of the equation, but complete invulnerability is impossible. I prefer reducing the threat component through deterrence, apprehension, prosecution, and incarceration, but that is also not completely achievable. Reducing the asset value is probably not realistic. Therefore, risk always remains.

On a minor note, Bruce is also wrong strictly on the vulnerability side. Because security is the process of maintaining an acceptable level of perceived risk, security is different for everyone. I may be willing to pay a lot more for what I consider to be a "secure" product or service compared to another party. The vendor may not wish to devote the additional resources to "security" (really vulnerability reduction) that I desire. Alternatively, I may need the product or service for compatibility reasons (think interfaces with customers or partners) but not trust that vendor (think Microsoft's integration of security into the OS). In both cases, I can turn to a third party who works to improve the "security" of that product or service.

Hence, the security industry is born, and will continue to exist.

13 comments:

jbmoore said...

Bruce is trying to say that if many IT products weren't poorly designed, there would be fewer vulnerabilities. But the problem has to do with people's perceptions. Often, people prefer glitter and polish to functionality. Programmers spend 90% of effort on functionality and 10% on the interface only to be confronted with customers who don't like the interface and don't like the product even though it may be superior to any other product out there. The customer can only judge the product by what they see, not what is hidden without thorough testing and few procurement people thoroughly test software products. Joel Spolsky pointed this out as well. He noted that many people are superficial. The iPod looks cool, but you can't change the battery. The number two competitor to the iPod lets you change the battery and it has more functionality, but it looks drab compared to an iPod. SUVs look safer than cars, but their mortality rate is twice as high as a car because SUVs are classified as trucks and have lower safety standards to begin with. But they look safer because you are higher off the ground and can see over traffic. That height means that they are prone to rollover due to the higher center of gravity. It comes down to people not being educated about judging risks well and relying on flawed perceptions based on superficial appearances. VW advertises their cars based on their safety, but many car makers use sex to sell their vehicles. Your equation shows this as well. The only known variable is value. Vulnerabilities and threats are unknown to the buyers and users, though maybe not to the people who have to implement and support them.

jbmoore said...

Spolsky's talk is here:
http://www.acm.uiuc.edu/conference/2006/video/UIUC-ACM-RP06-Spolsky.wmv

oleDB said...

I think there are 2 key elements that were left out of Bruce's initial article and your response. And that is, what actually comprises the Security Industry?

If in fact we are stating that if completely secure products were on the market, then there would be no need for the Security Industry, then we aren't really seeing the whole picture. The Security Industry is very much integrated into the product market, and thus is attempting to better secure these products prior to release. So you technically can't have secure products without a Security Industry.

In addition, the bulk of enterprise's security dollars are not going to products per se, but under the broad term of compliance. That means that even if you are "secure" and follow best practices, your still gonna have to comply with regulations and pay for 3rd party audits. Not only that, often times these audits result in having to buy more hardware and hire more security folks. This would occur even in a dream world where no products had security vulnerabilities.

John Rodenbiker said...

Schneier's question is not really "do we need a security industry?"

What he really asks is "do we need a security industry that is visible to anyone besides the industry's members?"

His answer is "no."

Everything else in his article, and in Bejtlich's analysis, obscures this.

Bejtlich should have focused on whether or not Schneier's answer to his actual, rhetorical question is correct, not the red herring.

--
John Rodenbiker, CISA
jrodenbiker@rodenbiker.net


P.S. The captcha on this site doesn't seem to work in Opera 9.20 on XPSP2-- very annoying.

John Rodenbiker said...

After further analysis of Schneier's column and Bejtrlich response, I don't think Bejtlich is disagreeing with Schneier's red herring (discussion of vulnerabilities in shipping technology) even though he wants to.

Schneier -- paraphrased -- says if technology shipped without vulnerabilities we could spend fewer resources reducing or mitigating those vulnerabilities after we acquire the technology.

This is exactly what the risk equation says should happen.

If you reduce the amount of any of the three components of risk, without raising the others, the amount of risk is reduced.

I think everyone agrees that vulnerabilities shipped in technology are just a subset of the set of vulnerabilities and that reducing this subset to zero does not reduce the set to zero. I think everyone also agrees that even with this being the case, trying to reduce the amount of vulnerabilities shipped is a worthy effort and trying to reduce the amount to zero is a worthy ideal.

On a personal note, not being a member of a law enforcement agency I think the vulnerability component is the priority to be addressed.

The things I want protected have value and I want their value to increase.

Despite what the risk equation implies, I believe threats are a function of vulnerabilities and assets. As long as there is a target and a means to hit that target threats will exist. I can't directly create laws and penalties to deter criminals, though I can lobby lawmakers. I'm not a law enforcement agency, so I can't investigate, arrest, presecute, or lock-up criminals.

That leaves vulnerabilities as the only part of the equation I can affect directly in a manner that reduces risk. Schneier is totally justified in focusing on vulnerabilities in this article.

--
John Rodenbiker, CISA
jrodenbiker@rodenbiker.net


P.S. Captchas are still annoying, even when they work in Firefox.

Rob Lewis said...

@oledb,

Your statements re:compliance spending neglects to mention the obvious.

Compliance is a sub-set of security and arose from the same lack of internal controls in systems and networks that drives IT security. Removal of software vulnerabilities reduces the risk of system compromise by authorized users and would reduce the degree of auditing required to assure that financial statements that were being signed off on were an accurate reflection of corporate financial health.

There would also have to be additional internal control to prevent unauthorized use of data by authorized users. over and above clean code for os's and apps. Security is much more than anti-virus and patching.

Rob Lewis said...

@johnrodenbiker,

Vulnerablities may be reduced eventually but will never totally be eliminated without regulation or stiff penalties. We will only collect data that is value to us so we will always collect it in order to do business, so there will always be a target.

That is why we have gone the different route of adding protective mechanisms at the kernel level of systems (and networks) to prevent threats due to vulnerabilties from being enabled, regardless of patch state. This effectively changes the risk model by reducing threat probability, even against previously unseen attacks.

John Rodenbiker said...

Hi, Rob:

I don't think regulation and penalties are an effective way to address vulnerabilities. They are the best way to address threats -- along with apprehension and prosecution, as Mr. Bejtlich say.

Vulnerabilities ultimately stem from human error. That error is a fundamental part of the human condition. No matter how much we all wish it to be, you can't regulate human error away. You can only build up systems that try to catch it and correct it before it is too late.

You can regulate that such systems are built, but that is as effective as jousting windmills. See Mr. Bejtlich's recent comments regarding FISMA.

I do agree with you that there will always be targets with value and vulnerabilities. I tried to make that point in my earlier comments. That we have assets of value is assumed; if the assets have no value we don't need to worry about their security. Except in the simplest of systems (I don't think such systems currently exist in any business environment) there will be flaws that can be exploited.

When you prevent the exploitation of vulnerabilities, you are not directly reducing the threat factor, but instead reducing the vulnerability factor.

This could lead into my critique of the risk equation (basically, I think it's wrong but haven't yet spent the time to come up with something better) but I'll leave that for another day since this post is already too long.

Thanks for your comments, Rob.

--
John Rodenbiker, CISA
jrodenbiker@rodenbiker.net

Danny Lieberman said...

Guys

Richard pointed out the failings of Schneier's argument for not looking a t the entire risk equation of

Asset Value X Threats x Vulnerabilities x Countermeasures

The compliance issue tends to cloud discussions like this but never forget that regulatory bodies like PCI are providing a fairly outmoded checklist that is just as irrelevant for every business as it is relevant for every business.

The important point is that we choose the MOST COST-EFFECTIVE countermeasures to reduce the risk equation. Instead of buying a Web application firewall - it may be 1/3 cheaper to fix the bugs in your web app - and even if quality isnt free - at least you're not paying Symantec 20% a year for maintenance.

See my post at Guys

Richard pointed out the failings of Schneier's argument for not looking a t the entire risk equation of

Asset Value X Threats x Vulnerabilities x Countermeasures

The compliance issue tends to cloud discussions like this but never forget that regulatory bodies like PCI are providing a fairly outmoded checklist that is just as irrelevant for every business as it is relevant for every business.

The important point is that we choose the MOST COST-EFFECTIVE countermeasures to reduce the risk equation. Instead of buying a Web application firewall - it may be 1/3 cheaper to fix the bugs in your web app - and even if quality isnt free - at least you're not paying Symantec 20% a year for maintenance.

See my post at http://www.software.co.il/blog/2007/05/do_we_really_need_a_security_i_1.html
for a discussion why IT security cannot be solved by making the world a friendlier, more kinder place.

Cheers
Danny Lieberman

Rob Lewis said...

John,

The markets can punish by reduced sales, but there must be choices for consumers for this to happen. Dell adopting Linux is an example. Businesses not rushing to upgrade to Vista is another.

It may be semantics, but our technology prevents privilege escalation. We are able to separate root user from the system. We can give partial admin privileges to a service, just enough to run. A scan will still show the unpatched vulnerabilities. If the resulting threats can not be enacted on, then I think there are fewer threats.

oleDB said...

@rob lewis
Not sure why you believe I said Compliance was not apart of the Security Industry. It most definitely is, and its the part that I specifically said will be around regardless of vulnerabilities or not. And it will be due to legislation. I wasn't commenting on what drove the legislation.

If we were to discuss what drove the legislation, we could never really get a definitive answer. The obvious answer that you mention, was that insecurities drove the laws to be put in place. Thats pretty simplistic. What really drove the laws, were senator's and congressmen's desire to be re-elected by authoring a law they could claim as their own.

Also, when you make statements like this "Security is much more than anti-virus and patching." you sound extremely condescending. I believe everybody that would read this blog knows this already.

Rob Lewis said...

@oledb,

My parallel sarcasm attempt was possibly clumsy and out-of-line. Compliance deals much more with least privilege, role separation and user provisioning than AV and patching. Even though I consider myself a security newby, I am constantly surprised at the poor understanding of these principles, or at least the poor execution of them, by so-called security professionals. Widescale implementation of them would reduce the scale of compliance auditing necessary.

The bottom line driver for SOX compliance was that without it investor confidence would have evaporated, threatening the American economy. Whether that was done out of sense of duty or ego, I have no clue.

Ryan Heffernan said...

Richard,

You make an excellent point about security being defined as risk rather than vulnerability; however, should the equation really be "threat X vulnerability X asset value", or should it be "threat X vulnerability X incident cost". They are two separate things, and I’d argue for the latter.

The cost of an incident may not correspond directly to the asset value. For example, if I have a breach of security, I may have to respond to the incident and hire a forensic investigator to determine what happened. It may turn out that the attacker didn’t access any information assets (which would zero the risk by your calculation), but I still have to incur the costs of the response and investigation, which might be substantial.

Likewise, I may purchase a database of customer information for 1 million dollars (the asset value), but if the customer information is stolen in a breach, the legally-required breach announcement might cause my company's stock to drop in value by 5%, which might be billions of dollars (the incident cost).

The point is that asset value and incident cost are two different things, and when it comes to measuring risk, incident cost is what really matters.

-Ryan Heffernan