Sunday, September 12, 2010

Someone Is Not Paying Attention

I enjoy reading InformationWeek because it gives me a chance to keep in touch with broader IT trends, and the content is usually solid. The cover story for last week's issue was End Users: Ignore Them At Your Peril (sorry about the odd link; the original is here but requires registration). I started reading the article by Michael Healey of Yeoman Technology Group, but quickly realized Mr Healey is clearly out of touch with the reality of the modern security environment. He writes:

Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky...

Are we really less secure than we were 10 years ago? Probably not. Much like watching cable news will make you think the world is burning and people are coming to snatch your kids, today's level of security awareness has altered the psyche of IT.

This new awareness is coupled with very real regulatory requirements, such as new Massachusetts privacy laws that require tougher disclosure when there's a security breach or problem.

It's no wonder the security folks are so jumpy. But they're missing the message that CIOs need to hear: Security is working. It's been more than a decade (yes, 10 years) since any particular security flaw has had a truly widespread impact. The Melissa and the ILoveYou attacks were the last.

We're not proposing you drop your guard. Security is a good reason to stop a project that's too risky. But if you've built an effective IT security model that combines base protection, active monitoring, and proactive management, and you stay tied into the overall industry, your chances of a major failure are slim.

Congratulate your security team for once and see if they can start moving out of their foxholes and figure out how to add some new devices and capabilities.

Feel free to stop laughing now, if you can. Clearly the last time Mr Healey paid attention to anything involving security was a decade ago, if all he can cite are "Melissa and the ILoveYou attacks." It sounds like he's the one in the foxhole, supposedly safe while the world around him continues to be in turmoil.

There's so many ways to refute his point of view, but let me close with a really simple idea. Security is simultaneously global and local. Failures can occur at either level. Many organizations care more about the local than the global because local failures are more likely to impact them directly. They tend to care about the global only when it affects the local. In other words, even if no global security failure takes place (like a worm affecting the whole Internet), local security issues will still occupy a lot of security time and resources. The inability to point to a global failure (even correcting for ignorance) says nothing about local security problems.


dre said...


Anonymous said...

Yes, foxhole is safer because there is neither Ethernet nor wireless network there.

Don Gray said...


In general I agree wholeheartedly with your comments, however I am at a loss to explain the attention given to and apparent impact (on at least a couple of big organizations) by the "Here you have", "Just for You" "virus".

I can't for the life of me figure out how in 2010 organizations like NASA are getting impacted by viruses contained in .SCR files.

Thankfully very few of our customers seem to have been minimally impacted but clearly some organizations have fallen down when it comes to things like security awareness and basic gateway filtering and blocking.

Yes it was a 0-day variant, I get that, but don't click on unsolicited files!!! And as benign as it seems at first, the leaving of (.img.scr) droppings on the network shares seems to have posed a real challenge to some organizations.

So as much as I want to agree that security is working, I think it is very easy to take a "security expert" centric view of the world. A world where large, process driven organizations that support life-critical missions still get impacted by the basics.

Anonymous said...

10 years? What about MS06-067/Conficker? That had very widespread effects indeed.

Anonymous said...

Healey's position based on those virus outbreaks is a scary one, and one I've heard bandied about now and then.

It's true, those incidents of the past were probably watershed moments where a few viruses and worms exposed poor configurations/practices and let the entire userbase of the business feel it immediately.

Small pieces improve over time, but that doesn't mean suddenly we can relax or that security has improved. Someone is making a pretty large leap of logic there.

In addition, it's not like the capability isn't present today. In my opinion, the only reason we don't see another widespreading Melissa or ILoveYou is because the attackers don't want to just be a pest like those attacks were. But I guess in Healey's world, botnets just form on their own.

Besides which, I don't see any situations in my own experience that suggest IT's psyche has been altered. They're still operating with security-blinders on unless poked, hard, by regulations and policy.


Daniel Lohin said...

I am going to have to say that I agree with one part:

"Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky..."

The very first sentence is something that I have been saying. Too many people in security are far too quick to say no to everything because they don't want change as change is seen as bad in the security mindset. I have seen situations where security just doesn't want to work and will pile on paper work to the requesting organization.

It is security's job (imo) to figure out how the users can do something in a secure manner. I know that in some cases the final answer will be know, but security needs to understand the users requirement, and then discuss how the requirement can be done in a safe manner. Sometimes that means the user won't get everything that they want, but at least you tried to help.

Robert Sullivan said...

The think that strikes me about an article like that is upper management will read the first few lines or so. They'll conclude things are good - never mind all the fuss the security team is talking about, they just want more budget.

But the recent IBM X-Force Threat Report, for example, shows a different picture. They mention some things Healey isn't aware of apparently - the Zeus botnet and PDF attacks, to name just a few. To quote from their web site: "Reported vulnerabilities are at an all time high, up 36%."

Nick Chapman said...

That attitude is not unusual. I recall seeing a story on another blog railing against overly restrictive security policies in the work place. I was forced to stopped reading the post after I fell out of my chair laughing.

The author demanded that power users be allowed to install "proven safe technologies, like Adobe reader and flash".

Just like with physical security, most people are simply unaware how easy it is to bypass controls.

Mark Kelly said...

I find the original article writer's mindset to be very common. They are still viewing security with the more "secure the perimeter" and prevent virus/worm mentality vs where the impactful threats are right now which is losing trade secrets that are vital to the survival of a business.

Robert Sullivan said...

And the problem is upper management will read this and get a rosy picture of security, and wonder what all the fuss is about from their security folks.

Anonymous said...

"proven safe technologies, like Adobe reader and flash"
and "proven productivity enhancement technologies, like Facebook".