nCircle.com >> nCircle Blog >> Sync

« Meeting with Michael Chertoff, Secretary of the DHS | Main | Protecting Your Enterprise from Conficker »

New Years' Resolutions for Security Professionals

New Years' Resolutions for Security Professionals. The real problem is that there are not enough Kaminiskys, Appelbaums, Sotirovs and Kapelas.


So far most of the responses about yesterdays' 25C3 presentation by Sotirov, Appelbaum, et al, have focused exclusively on the technical details. The most common topics include: In theory, could the attack be carried out on a wide scale? Am I at risk? Should I be asking my vendors for answers? All reasonable questions, but they miss the bigger picture.

The question everyone should be asking is, "Why did this take so long?"

Several years ago, I had the pleasure of attending a talk by an active NSA analyst. He talked about his list of massive Internet calamities and specifically mentioned routing, PKI and DNS.

Here are a few security highlights for 2008:


* July 2008, in a massive vendor coordinated event, Dan Kaminsky orchestrates a critical fix to DNS that we later learn could lend a hand in large scale man in the middle attacks.

* August 2008, Alex Pilosov and Anton "Tony" Kapela demonstrate a technique for eavesdropping on Internet traffic that affects BGP, the core routing protocol of the Internet.

* December 2008, Sotirov, Appelbaum, et al, reveal their work on MD5 collisions that could render the trust of SSL sites useless.

So why did these discoveries rock our worlds and light up the news wires?

Simple - it's all about trust. We trust the little yellow lock in the browser. We trust Internet routing works. We trust that when our browser URL says our bank name we are logging into our bank. No amount of security awareness training, videos about phishing, antivirus software or hard disk encryption will thwart these kinds of attacks.

The reason there has been so much noise about each of these revelations is because there isn't any way to defend yourself or your company against them. But the noise masks the larger threat.

The real problem is that there are not enough Kaminiskys, Appelbaums, Sotirovs and Kapelas performing active academic work focused on the centralized services the internet uses as building blocks.

Most people trust their local police force to enforce the speed limit. We trust the local fire department to perform fire safety checks in buildings. The United States employs a huge military to protect its borders. The Internet, however, isn't local and knows no borders.

Earlier this year I asked Michael Chertoff, Department of Homeland Security Secretary, how would the United States protect itself against a DOS attacks the likes of Estonia or Georgia. The answer was a strategic reactionary plan -- reduce the number of entries (Internet connections), block attacks in real time, do background checks.

These are all reasonable answers, but they focus on reactions after an attack is underway. Where are the proactive strategic goals? What about penetration testing or funding academic research into the vulnerabilities inherent in our core trusted services?

It's tempting to assume that the United States does employ researchers trying to break DNS or PKI systems. After all somewhere in the bowels of the government our tax dollars could be funding exactly this kind of research.

The problem with this assumption is that Internet functionality is, for the most part, fairly transparent. No one can slip in a new update to the design of DNS without someone noticing. Also, I have never once seen credit for a vulnerability discovery given to a security researcher employed by the US government.

So, we have fairly large trust issues. US citizens can't trust that our current government is doing the kind critical research necessary to protect one of our most valuable pieces of critical infrastructure. There are very few private citizens with the specialized knowledge and skills necessary to do this research, and these people are not dedicated to the rigorous research the scale of the problem demands.

This leaves all of us with very few options. If you have read this far, you are in the minority of people that have the background to grasp the enormous import of these issues. The other 99.99% of the Internet users are either blissfully ignorant or deathly afraid of all the many things that go bump in their internet night that they have no protection against.

Those of us that understand the tremendous impact of these kinds of vulnerabilities are left to take whatever small steps we can to protect ourselves. I encourage everyone reading here to resolve to proactively engage in thoughtful, responsible research in these services in 2009. Take a step back and take a long look at the many services we generally take for granted: routing, trust services, DNS, time synchronization and the like. If each of us pushed one piece of one these trusted services to their limits whenever we had resources we could help make the internet a safer place for all users.

And, for the moment, we can only depend on each other.

Tags:

Posted by Andrew Storms on December 31, 2008 12:26 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/312

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for the definition and enforcement of the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department.
Andrews' commentary on IT security issues has appeared in CNBC, Forbes and The New York Times, as well as many other publications. He is a Certified Information Systems Security Professional (CISSP) and a member of FBI InfraGard.

About

This page contains a single entry from the blog posted on December 31, 2008 12:26 PM.

The previous post in this blog was Meeting with Michael Chertoff, Secretary of the DHS.

The next post in this blog is Protecting Your Enterprise from Conficker.

Many more can be found on the main index page or by looking through the archives.

Search


Subscribe to this blog's feed
[What is this?]