There has been a lot of focus on how the security industry has failed ourselves, our community, and the people we are meant to protect. I was originally going to blog about how I disagree with the above quote, but I decided instead to objectively look at problems that the industry is presently facing. The security industry has many issues to solve. Some issues have really simple solutions that are extremely difficult to implement, while other problems have no known solution that can be easily introduced to the masses.
1) Today feels a lot like yesterday
Let us take a quick look at two information security surveys, one taken in 2001 and another from 2006. Let's highlight one specific set of the survey, specifically dealing with what the industry percieves as the biggest obstacles affecting the security industry at that time.
| Rank | Information Security Magazine Industry Survey, 2001 | Information Week Industry Survey 2006 |
|---|---|---|
| 1 | Budget Constraints | Security Complexity |
| 2 | User Awareness | User Awareness |
| 3 | Lack of Management Support | Preventing Breaches |
| 4 | Lack of Competent Security Personnel | Enforcing Security Policy |
| 5 | Lack of Security Policy | Budget Constraints |
| 6 | Unclear Responsibilities | Lack of Resources |
This isn't the complete table, but can you spot the trend? A lot of issues that the industry was facing five years ago are still present now. The security industry is either STILL trying to solve the major problems that it was facing five years ago or it is happily ignoring them. Admittedly, as I mentioned in the introduction, a lot of these problems are not easy to solve and the industry is quite young. However, after five years, they are still the some of the biggest issues facing the industry. Five years in the security space is an eternity. To continue to be successful, the security industry really needs to start dealing with some of these issues and come up with innovative ways to solve them. It would be a sad state of affairs if the same survey taken in 2011 highlights some of the same issues that have been in focus for the last few years.
2) The role of a Security Professional
It is extremely important to understand that a professional in the security industry is not necessarily in the business of trying to protect you. Actually, that statement is a little erroneus. All people in the security industry are there to ensure that security is enforced. However, each person can go about it in completely different ways. Using an analogy that I'm very familiar with, there are two ways that people can motivate you when you do something wrong. The first is to be extremely supportive and assist you through the process of getting it right. The second is to embarrass you publicly in front of your friends and family so you don't make the mistake again.
The security industry works in a similar fashion. There are those who will work with vendors to ensure that end users are protected and there are those who believe public embarrassment is the only way to get vendors to fix their software. There is no point in debating which approach is better as it has been beaten to death by others already. The important lesson here is that, if vulnerability information is released before the vendor has released a patch, it can become difficult for administrators or security personnel to deal with it when the information becomes public. There is also no guarantee that the vendor will expedite the release of a patch just because the information has become public. Look at the WMF vulnerability that affected most Microsoft operating systems at the beginning of the year. Only after extreme public pressure and the embarrassment of having a third party patch released before the official version did they release a patch outside of the advisory release cycle.
3) There are too many so-called "Security Professionals"!
There are too many people who call themselves Security Professionals who know very little about Security. The first question you should be asking yourself while reading this post is, "Why should I even bother reading to what this person is writimg? What makes him an authority on anything?" The real answer is, you shouldn't! It makes me cringe to hear some of the recommedations that come from other so-called "security professionals". A lot of people either don't have a firm understanding of security or have their own personal agendas to push. I'm not even going to get into the amount of security related misinformation that is out there. As someone who works in the industry, it just makes me shake my head. You don't allow random people calling themselves doctors to prescribe medicine to you and you don't allow some random schmoe with no credentials to fix your plumbing. The same is true for computer security. Don't rush to follow the advice of some unknown "security expert".
Just because you don't understand computer security does not mean they do.
4) Security Breeds Apathy.
Illusions are dangerous. Just because one believes they are secure does not mean they are. One of the common themes I hear when someone has been infected with malware is that they were running an updated virus scanner. They truly thought they were safe from most attacks. Take a look at any of the online virus scanners just to see just how much malware is missed by security vendors. It is rare that all the antivirus solutions catch all the different variants of viruses out there.
A major problem stems from the fact that, like many other things in life, users become complacent with their security setup. They do not pay as much attention to their security infrastructure as they should. They feel that since nothing has happened to them up until now, it is rare that something will happen to them in the future. Time causes people to become comfortable with their job, relationships and health. When something unexpected happens, they are shocked that "this has happened to them." Security has the same problem. Until something bad happens, the status quo is often acceptable. It's the "that could never happen to me" fallacy.
Security is not like a Ron Popeil commercial. You just can't "set it and forget it." In the most ideal situation, an end user should iplug in their security solution and everything should be done for them. However, the industry is not there just yet, nor is it a guarantee that it will ever get there.
5) Security can be overwhelming
I'd be the first to tell you that security is not simple. Security doesn't have an easy button. Setting up a robust, scalable and highly configurable security solution on any network is difficult. Maintaining one is even harder. There are too many things that could possibly go wrong. Many people that I have talked to who have attempted to implement security solutions, especially people without a strong foundation in administration or security, can find it extremely difficult to get it to work.
Now, let's say that you are able to successfully implement your solution. Probably the biggest failing of security is the innundation of data that security products present to the end user. A single administrator can get information sent to them from each of their security products. From firewall and web server logs to IDS and virus alerts, the amount of data that has to be looked at can be overwhelming. According to the 2006 Information Security survey (referenced above), the biggest concern for most security professionals is managing the complexity of security. Most companies have a relatively small security team, which can be quickly overwhelmed by this torrent of information.
In the end, if there is too much information for the average sized team to handle, some data will never get looked at. What is the point of having all these security products if you are unable to look at it all.
6) People are afraid of what they don't understand.
It's an old running joke, but how many people do you know that have their VCR clock (replace VCR with any random electronic product) flashing 12:00AM? Probably quite a few. The scary part is who many of them are. These are highly intelligent and highly educated people working as specialists or experts in their field. You would not expect someone with this kind of intelligence and skill to be outsmarted by a VCR. People are afraid of setting their VCRs. At the same time, people are also afraid of their computers. If you cannot diagnose even the simplest of problems with your computer, how can you be expected to understand security and implement good security practices? The answer is that the average user can't. Security is stuck between a rock and hard place. If users do not know how to be secure and they are unwilling to learn, then how can the industry help them? The solution to that question is the next problem with security.
7) Security is not seamless.
To the user, security is not transparent. They have to do all sorts of things to make themselves "secure." For the most part, users will get frustrated having to do this and simply stop. Few people enjoy fine tuning their systems to make them more secure. Why isn't the system secure out of the box? How many servers out there are running daytime, chargen and echo by default? How about Apache and Sendmail? Way more than there should be. Vendors used to always put the onus on the user to make the system more secure. I think vendors need to start enforcing security for the user. Users should be able to unwrap their products and find them secure (as can be) by default. Obviously, a lot of users would prefer to have certain services enabled, but that's why it has to be configurable. You want to run discard? Whatever rocks your boat.
Ask most users if they'd rather be forced to enter a password on their desktop or not have one at all. Many users (more than you'd expect) would prefer to ignore this simple security 'best practice'. The more transparent security is to an end user, the more successful it will be.
8) End users are ignorant
As a corollary to point five and six, users do not care how security is implemented. They do not want to know. They just want it to work. This is difficult for the security industry to understand. Why don't users implement strong passwords? Why do users post their password on post-it notes on their monitor? Why do users open e-mails that are obviously not safe to open? Why do they do it again two days later after being exploited the first time? One of the funniest accounts I have ever read about a virus attack is here.
Most people would probably assume that I'm knocking end users here, the thing is that I am not. It is actually our problem that end users are ignorant to security best practices. We either need to make security seamless to the end user or educate them so that they understand. Neither solution is simple.
9) Not all security is right for you.
This is the "throwing things at a wall and hoping it will stick" problem. A huge problem is that people often buy things for their networks / computers that they don't really need. Do you really need a personal firewall, host based IPS, Virus and Spyware scanner? It's cool that you are now apparently protected from all sorts of things, but now your computer is so bogged down with background processes that you can't even do your job. If you are a user, would you accept your computer taking 10 minutes to boot? Of course not. One has to step back and fully understand why they need the product they are about to buy. Buying 20-25 security products and hoping that they will play nice with each other and integrate to any degree is folly. One has to accept that not all types of computer security are right for you.
There is such thing as having too much security.
10) The World is a War Zone
The Internet is one of the most dangerous places you can be. The Internet is full of people trying to attack and exploit you. The major problem is that the Internet continues to grow exponentially and is now full of users without the right understanding of how to protect themselves. From spam to spyware to viruses/trojans and phishing attacks, the Internet is dangerous
The solution to this problem is not a feasible one. You cannot expect everyone to take a training course on security best practices before surfing the web. The best solution is a combination of points 6) and 7). Security has to get to a point where the user is abstracted from the equation. It should not matter if the user is a 75 year-old grandmother from Wyoming or a hardcore BSD user running lynx and pine. Being secure should just happen.
11) It is no longer about the Chase, it is about the Money!
Why is the Internet a War Zone? Because it is a very easy place for people to attack one another. It is the breeding ground for con men and others trying to make a quick buck. It didn't used to be this way. Previously, people writing malware were doing it to say they could. Traditional viruses and attacks could be destructive, but usually only to the computers themselves. Now, that's not to say that everyone wasn't doing it for the money, but the old perception that these were people sitting in their room all night, drinking Jolt cola while writing viruses or attacking computers for the fun of it was somewhat realistic.
One of the security industry's biggest failings was not seeing the potential for profit in the creation of malware. Since it is so easy to exploit people online, both figuratively and literally, it has become a breeding ground for attacks. You have everyone from organized crime, terrorist sects and 15 year olds trying to make a quick buck by writting malware. Since the Internet is relatively anonymous, stopping these people is almost impossible. You may be able to hinder their operations, but it is just as easy for them to start it all up again.
I highly doubt that someone will be able to control the Internet in any way, shape or form. Part of the Internet's attraction is that it is like the wild west. Anything goes. In the end, fighting this battle from a security perspective is a losing battle. You cannot enforce protection on their territory, you can only try to protect your own.
12) Attacks are Polymorphic.
Attackers learn. Attackers adapt. Every time a security solution is put in place, attackers find a way to get around it. People who try to break security solutions are very bright people. With access to the security solution, all it takes is time for them to find a way around it. There have been many examples of this with IDS/IPS solutions, Spam filtering and virus scanners. If people look hard enough, there is always a way around them. Attackers are smart enough to know this, so they have the ability to abuse it.
As an industry, the only solution is to keep working at it. It is almost impossible to be protected from attacks if you have no idea who your attackers are and where they will strike. You need to fully understand where you are most at risk. Is it the people you employ, a poorly patched network segment, or an unmonitored part of your lab? If you know where you are vulnerable to attack, you can better protect yourself. You will never be able to protect yourself from every attack, but you will be better off then everyone else.
13) Vendors and Security don't match.
Why do vendors, such as Microsoft and Oracle, have so many security issues in their products? One could argue that they are the most popular, so inferring from point 10, attackers focus on them. However, why are there so many bugs in the first place? The big reason is that security does not make software vendors money. Vendors make money by selling new products with enough new features to force users to upgrade. So, why are Microsoft and Oracle focusing on improving the security in their products now? Security may not make vendors money, but they can lose money for them. Vendors lose money when people who already use their products, get frustrated with all the baggage that comes with it, and choose another product with a better security track record. This does not in fact mean the new product chosen is more secure, it just means that it has a better track record. You will see more exploits for Apple and Mozilla products in the future as they gain a larger market share.
14) The industry is immature
By saying the industry is immature, I do not mean that the industry is young. The industry is young, and that can be problematic, but the industry itself is in fact immature. There is a lot of in fighting between different people about how things should and should not be done and who is worth listening to. You will get fights and insults slung between multiple people and multiple groups just because they can. In the end, it doesn't really solve anything except that, from the outside world, it makes the industry look like it's full of a whole bunch of spoiled, elitist brats who fight over the most inconsequential of details. This doesn't bode well for the security industry because it becomes extremely difficult for anybody outside the industry to take it seriously. Also, it makes it very difficult for anyone else to decide which information to listen to and what is important if the interesting details are surrounded by childish rants.
15) 2+2=1
Not only is the industry immature, it can also be very short sighted. A lot of security people believe that their way IS the only way. Innovation is not usually a problem in this industry, as there are many brilliant people coming up with many ingenious ways of doing new things. However, getting people to agree on what is the right way to do things is almost impossible. In general, there is nothing wrong with disagreeing with each other. However, if it gets in the way of moving the industry forward, then there is a severe problem. A lot of people are stuck on ideas that were thought of as correct five years ago and cannot see that there may be better solutions and/or ideas then what was once known. Can 2+2=1? Of course it can. Sometimes you have to think differently to get farther ahead.
A lot of the above sounds really negative, and I guess it is meant to be. The security industry needs to begin to work together to continue its advance. Security may have advanced in some areas, but it has ignored the most important issues affecting it. A lot of this comes down to it being difficult and the fact that the industry itself is immature and full of people who are obsessed with the classical representation of someone who is in security. However, I think there is a lot of really good things that have happened over the past five years. The industry has started to weed out the people who were only wanted a job in the industry because it was the cool thing to do. I also think that people who have been in the industry are really tired of the status quo. They want change. They want to begin to do cool things that will push the industry way from where it is and take it to where it can be. It may be difficult, but for the sake of the industry itself, it needs to be done.
Addendum:
I originally wrote this post six months ago and pulled it for various reasons. Therefore, a lot of the ideas are six months old (i.e. The comment about vulnerabilities in Apple and Mozilla).