The Security World Is Not Just a Webbed, Virtual, Fluffy Cloud
If you've been watching the digital security scene for a while, you'll notice trends. Certain classes of attack rise and fall. Perceptions of risks from insiders vs outsiders change. I think it is important to realize, however, that globally, security vulnerabilities and exposures are persistent. By that I mean that if we forget or neglect problems from the past (or even present) and focus only the future, we will lost.
For example, the three big themes you'll see in many IT and security discussions are the following.
If you're not dealing with those three areas, you're a dinosaur, man! Forget all that other stuff you've learned!
The problem with that attitude is that it sees the world through a tunnel of shiny newness.
Consider the following list of recent security issues and see how many of them deal with those three hot topics.
I could continue. The point is there's a lot more to our security problems than Web, VM, and Cloud. It might be simpler to think of only those three problems, but there are at least a dozen more that require attention. This problem makes our security lives more difficult, but also more interesting.
Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.
For example, the three big themes you'll see in many IT and security discussions are the following.
- Web apps
- Virtualization
- Cloud
If you're not dealing with those three areas, you're a dinosaur, man! Forget all that other stuff you've learned!
The problem with that attitude is that it sees the world through a tunnel of shiny newness.
Consider the following list of recent security issues and see how many of them deal with those three hot topics.
- CPU-level attacks (e.g., Attacking Intel® Trusted Execution Technology)
- MPLS attacks (e.g., All Your Packets Are Belong to Us - Attacking Backbone Technologies)
- BGP attacks (e.g., Defending Against BGP Man-In-the-Middle Attacks
- IPv6 security (e.g., Attacking IPv6)
- Anti-forensics (e.g., SQL Server Anti-Forensics)
- Various nontraditional rootkits (e.g., .NET Framework Rootkits)
- Attacks on cryptography (e.g., MD5 considered harmful today: Creating a rogue CA certificate)
- DNS attacks (e.g., DNS 2008 and the New (old) Nature of Critical Infrastructure)
- Router attacks (e.g., multiple presentations on exploiting Cisco IOS at Black Hat US 2008)
I could continue. The point is there's a lot more to our security problems than Web, VM, and Cloud. It might be simpler to think of only those three problems, but there are at least a dozen more that require attention. This problem makes our security lives more difficult, but also more interesting.
Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.
Comments
While I agree that all of the things that you have mentioned are important, they probably don't require a dedicated person at each company. Unless your organization specializes in DNS service offerings (e.g. OpenDNS), BGP offerings (e.g. Renesys), MPLS services (e.g. AT&T), or non-traditional rootkits (e.g. Veracode).
Web applications affect um... everyone. Every organization that I know about, and one-hundred percent of users.
Some quotes for you before we leave:
The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical s
ervers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared to just 4.5% in 2005. - IDC
60% of production virtual machines will be less secure than their physical counterparts through to 2009. - Gartner
On average over 70% of IT security budgets is spent on infrastructure, yet over 75% of attacks happen at the application layer - Gartner
63% of developers are not confident that they write secure code - Microsoft Research
Right on the spot. Is the security buzzword phenomenon moving to the technical areas of security. I don't know why but I have reasons to expect the worse in terms of security.
You know, mainframes suffered with security issues from day 0, so people tried to define models that went into place and they finally "became secure"... so, from the late 80s, hacking exploded and more than a half of the security paradigms went to the space.
I think we are getting to the bottom of that wave, and people are starting to assume that this security stuff isn't that chaotic anymore, after-all we all learned that firewalls cannot protect the upper layers, that applications must be secure by design.
What f*cks the whole thing is that security is not a science is an art and creativity still one of the main tools of the attacking agent. While they have the advantage of being creative and attacking where we don't expect, we are stuck in buzzwords and dogmas...
@Andre Gironda:
WHAT?!?!?! "Unless your company specialises in DNS service offerings?!!?!?" Please, somebody stop the world 'coz I wanna to get out...
web app and virtualization are stringent real problems that directly affect the business to a high degree and therefore they warrant answers. they are real, are here, being used on larger scale day by day, and we have to deal with them sooner than later.
indeed, salespeople abuse them way too much.
Your losing touch. Attach the phrase "its the new hotness" when describing one of the "outdated" areas, and suddenly everyone will focus on it again. :)
Question, will you be writing more on Network Security or Virtualization? If so, would you be interested in having it showcased in our monthly newsletter? This would be free exposure for you.
Let me know if you are interested and we can talk more about it:
janderson@imninc.com.
http://blogsunlocked.wordpress.com/