Insight Community

Is there a better way to approach computer security?

We deal with four aspects of information security and technology in our day to day operations, and our corporations.

We are only as good as our tools – in that the tools we can afford to buy also have flaws in them, flaws that can result in a picture of what is going on the network that might not necessarily be happening. Next time you pop “Illegal Game Play” check the ports, it might just be syslog going across your network.

We are only as good as our education – in that the education that we get, either formally through college or through certification has to be up to date. Anything less than that, we are teaching our students to fight yesterdays wars with yesterdays tools, on today’s threat environment.

We are only as good as our ability to work with others – it has almost become a cosmological joke that information security people are just not able to grasp business. Moreover, many of them are not, they sit behind their tools, resting on their education, and don’t think they have to work with the business side of the house. They have to, its vital if we are going to push out secure apps, secure web sites, and educate our users on what is happening today. Its far past the time that the security person in the back of the building can be allowed to do what they want to do, without working with anyone else.

We are only as good as our imagination – most of the attacks that we deal with that are devastating are not even seen because we just cannot imagine it. No one thinks that a DDoS can happen to them, no one thinks that their data is really truly targeted, just check out TJMax, The State Department, and the Bureau of Indian Affairs, check out depeering, and bots, and spam, and malware. All of these exist, with few if any real good ways of managing the issues. Most of this is a generalized failure of the imagination, saying, “It can’t happen to us” is a lot like Bill Gates saying “the internet is a fad, it will never go anywhere”.

We need to address all of these issues, not just better tools, but better educated workers behind the tools, more socialized security personnel, with healthy imaginations thinking that “it can happen here, and here is how we can proactively manage the risk”.

I am not an expert in this field, but imagine some would support a highly structured model which destroys the end-to-end principle of the Internet. I am highly opposed to this. 

Although we may design a system where hacking is impermissible due to controls, we should avoid centralized power at all costs. Technology is neither inherently bad nor good. It only enables. We mist continue to fight the good fight while protecting the important principles of equality and innovation.

Obviously, security must be built in from the start. However, there must also be awareness of security among the users for security to work. In home security, users are acutely aware that they are not able to do certain things (leave the door unlocked, drop their wallet in public places). Not so in computer security. Also, losses are hard to feel (a botnet can be installed on your computer without your knowledge, and designed so it is not noticeable among other legitimate traffic). Other examples can be taken from other domains, e.g. the military, where secure documents have to be locked up before you leave the office - and spot inspections will enforce this, and punish miscreants.

Since in the "real" world, user awareness is both the best deterrent and the best remedy against security breaches, security needs to be implemented so that it becomes visible to the user. Adding physical locks to computers might work, but of course this has to be done in the user interface. Users must also be made aware of what is normal behaviour on the part of their computer, and understand where to send alerts. In addition, spot checks need to be made, and punishments which can be traced back to unsecure behaviour intuitively be implemented.

In short, security must, instead of being part of the operating system and hidden, become part of the user interface and visible to work. Operating systems and hardware must support this. And education needs to be built in. Then, users will make sure security is a step ahead of hackers.

//Johan

Interesting question, and interesting that you say "one step behind". In reality we are often a lot further behind than that. Network devices have grown up ever since the first routers were built out of Unix machines. This was to address the problem of each individual machine on the internet getting bogged down by doing its own routing. A business need arose for a dedicated machine which would handle the routing for a group of machines, or network, and nothing else, so Cisco built them.

Since then many of the "business needs" that have been addressed by network devices have been made up not by the users of the network, but by the manufacturers of the devices, and as a result we are swamped with a lot of useless kit we don't need. This has got to a point now where things are so expensive, and motives for using often so little understood that we cannot make progress on a monthly, let alone daily basis. Sadly, businesses also realise this, and the investment required in security is stifled where it should be increased.

Network security would work much better using a framework approach. Users and data can be classified, the network then requires a framework that simply allows the users to access the data, or not. In this scenario, correct identification of users is paramount, and correct classification of data, but there is little need for anymore clunky network devices that serve one function at a time and get left behind on old hardware, old operating systems, or just old ideas.

There are multi-factor authentication schemes now available, i.e. something you know, something you own and something you are: a password, passcard and fingerprint/retinal scan should provide enough authentication strength. There is also IAM with which users can address much of their own account administration, which is useful if not 100% necessary.

Data classification is hard and time consuming if done correctly, but as we move towards a "semantic web", this will become more and more necessary, and developed as a result of that necessity rather than the need for security. Many storage companies already have such features available on their hardware, and there is software available which is listed as data-classification software.

In any case, the framework that is to be worked within needs to be closed and secure. There are many models available which are already used in military security, implementing them requires the ground work. The technology to do this is already available, it is sales that has driven security in the wrong direction. As proof of this, most security people in an organisation these days need to be business focused rather than technical, as was traditionally the case.

Why? Because not only do they have to understand how the technology works, but they have to be able to fight for budget, understand where security fits in with the plans of the organisation and sell the ideas to the board. We would also see this trend move back the other way if the framework approach was taken, which would mean technical people looking after technical problems. The people most equipped to deal with the attackers in the first place.

Today's computer security environment is reactive by nature: A threat or vulnerability is discovered, then addressed, and then another one is discovered and addressed, in a never ending cycle. Security firms have a vested interest in computer security remaining reactive. By treating the vulnerability du jour these firms can continue to profit with their current business model. Therefore, a solution is unlikely to come from security firms, whether they sell a useful product or snake oil. The only way to break the reactive security cycle is to treat the problem at its source by architecting software and solutions with security in mind.

Developing good software is expensive. Developing good software that's also secure even more so. Today's marketplace simply doesn't demand good, secure software. Patching and bug-fixing are accepted as the norm rather than the exception. Therefore, it's difficult for a software company to justify the extra cost and delay necessary to create more secure software. Even when a company decides to undertake the effort of creating more secure software, there's no guarantee that they'll actually accomplish the task. With this in mind, it's going to be impossible to redesign fundamental security measures when we have to constantly react to new vulnerabilities.

Until the marketplace demands that the problem be treated at its source, things will continue as they are today. A push for a set of unified data security standards may be a step in the right direction. However, with a few exceptions, government regulation in this area has largely resulted in a paperwork and audit industry rather than making our data and computers safer. The marketplace must therefore develop its own standards, with or without the threat of impending legislation. Granted, getting competing software firms to agree on something as fundamental as a secure design approach may be wishful thinking at best, but the current model is quite clearly broken with no realistic fix in sight.

No. There seems to be no fool-proof method to approach computer security design in order to ensure that we’re not always one step behind in the security game.

The computer security industry has always worked in a reactive mode in responding to an attack only after it occurs. That’s the only way they can function. There simply isn’t a way to be proactive because of the myriad number of ways in which insecure computer hardware and software have been deployed worldwide. Patch a piece of hardware/software and you could potentially have opened up Pandora’s Box. It’s humanly impossible to conduct a combinatorial and exhaustive test.

In an ideal world, end users would demand and vendors would supply bullet-proof products (both hardware and software). Unfortunately, we live in a time-constrained hyper-competitive capitalist society in which end users favor usability over security and vendors favor quicker time to market over security. The result is insecure computer hardware and software (due to poor design, poorer implementation, and inadequate testing) and consequently a self-feeding battle between security firms and malicious hackers.

Security has always taken a backseat and now it’s simply too late to shove it to the front. Even if you manage to build security into a new product right from the start, what about the other pieces of existing hardware or software with which it is supposed to interface? After all, a chain is only as strong as the weakest link.

It’s not that there haven’t been attempts to relook at computer security design.

Let’s look at a couple of the more popular approaches suggested by respected security practitioners and analyze why they are just not practical.

One popular suggestion is to fix existing standards to make them secure. Let’s consider the C Standard. It is now accepted that a large number of exploited security faults are due in large part to faults within the C Standard. Let’s assume that we do indeed make the C Standard secure. This is just an exercise in theory. Now just try and get a single vendor to fix an existing C application.

An even more popular suggestion is to monetarily penalize vendors for releasing insecure products. To quote Bruce Schneier: “Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem…Liability forces software companies to think twice before changing something. Liability forces companies to protect the data they are entrusted with. Liability means that those in the best position to fix the problem are actually responsible for the problem.”

Judging by the other responses, there really seems to be no concrete approach towards better computer security. It's an evil we are going to have to live with. To top it all, the scale and reach of the Internet is always moving upward. Consequently, we will have an ever increasing user base demanding more and more - but not necessarily better (read secure) - computer products. Vendors will therefore be under even greater pressure to cut their time to market. So, who's left to think of security? Only the correspondingly increasing hacker community and the security firms chasing them.

@rmorrill: You have a great point in saying that we are only as good as our tools and education. The problem with security certifications is that a majority of them are computer hardware/information security related. We do not yet have a certification for "secure software design."

@swsuehr: Continuing your argument, companies have always found that the cost of secure software (extra developers, fewer features, and longer time to market) is many times greater than the cost of insecure software (expense to release patches, occasional bad PR, potential loss of sales). They would rather face bad PR (and then blame the security problem as a industry-wide plague) than lose market share. I have already commented on the problem with establishing secure standards. It might work for new products developed from scratch, but what about the existing ones?

The seemingly feasible approach to better computer design would be to reverse the above equation i.e. make the cost of insecure software greater than the cost of secure software. Again, a quick solution would be to let end users sue vendors for any security lapse. But can you realistically expect a vendor to develop 100%-secure software? It's not possible even if the vendor employs an independent security-testing lab (who employs humans too). And how long would you as a user wait for that software?

Yes, there is. Thomas Edison suggested that there is *always* a better way, the trick is to find it. Many of the best minds in the business work with issues related to security, and enough of them are on the side of the hackers and spammers that the best approach to find better security systems may be experimental. Here are some suggestions for approaches to test on a limited basis:

1) Broader cooperation between big firms to crack down on malicious code, spammers, and hacks. Google's new initiative is a start, and I know Google and MS trade data on online spam activities, but this effort should be broad and involve all major players and ISPs. Blacklist sharing is generally a good thing, though it should be done with some level of ombudsmanship to cut down on collateral damage to legitimate sites.

2) Hardware locking revisited. Experiment with better locking procedures for personal workstations. Inconvenience has led to almost no use of physical drive lockdown anymore, even in moderately sensitive environments, yet often security problems come from unauthorized use of workstations that are within the corporate firewall. It's not much effort to lock a stations at night or during any extended office absence?

3) Experiment with slightly enhanced, yet very simple and intuitive ongoing authentication routines. ie for a wireless network users would enter their name at infrequent, randomized points during the session. If the name did not match those on database they'd be locked out. The concept is to place barriers to a hacker that would be insignificant to the egitimate user.

4) Much more transparent blacklisting and discussion of malicious entities and code. Security firms could all benefit from more integrated online environments to report malicious activities, codes, and businesses. Expanding this effort into a site with social networking capabilities would involve the community to a much greater degree and could help facilitate much more exposure of the malicious activities. Mapping the information and other "wisdom of crowds" features might lead to unexpected, positive results in cracking down on various forms of malicious activity.

The key point is to avoid broad, sweeping approaches that make a lot of assumptions about the problem in favor of targeted experiments that will yield more data on which to base the big decisions.