In the face of the latest security attacks, security professionals must realise their defences will fail from time to time. This was a recurring theme at the recent RSA Europe 2011 conference, where a number of speakers delivered advice on how to limit fallout when a failure does occur.
We spend the least amount of money on the most active attack vector. It’s time to redistribute the investment.
The tone was set from the start when, in his opening keynote speech, Art Coviello, executive chairman of RSA, now a wholly owned subsidiary of storage giant EMC, compared traditional IT defences systems to the Maginot Line built by the French in the 1930s to prevent a German invasion. Just as the Germans chose to bypass the line in 1940, he said, modern hackers are now bypassing firewalls and using other methods, such as social networking and phishing emails, to subvert users’ systems.
The theme was picked up by Herbert "Hugh" Thompson, chief security strategist at New York-based consultancy People Security, in his keynote entitled The Science of Security Fragility. He told the audience of senior security managers and practitioners to “expect failure and be agile” because threats are constantly on the rise and companies cannot afford to defend against them all.
Thompson urged the audience to put more effort into creating safety nets so when defences fail, the effects are not disastrous. That requires a more flexible attitude and a process of continuous improvement, with defences constantly adapting to the changing threat landscape, he said.
So-called “waterfall development,” where security systems are planned, developed, tested and then deployed, only works in a stable environment. However, Thompson characterised the last eight months (since the SecurID breach at RSA) as extremely unstable, with constantly changing threats.
He compared modern security needs with that of driving a car. “You don’t just get in the car and tell it to go in one direction, you have to make constant adjustments,” he said, adding that security should constantly be adjusted in the same way.
Thompson also emphasised users will make mistakes and security needs to plan for them. “People will make bad trust choices, and fall prey to clever phishing emails,” he said. He also warned that sites like Ancestry.com are a fertile place for hackers to find out detailed knowledge about people and their families, such as mother’s maiden name, a favourite security question.
Security professionals should assume their environment is contested, Thompson said, and even the intranet is not the safe haven they think it is. They also need to constantly re-evaluate assumptions about whom they trust and where threats are coming from. With the resurgence of computer-based hacktivism from groups such as Anonymous and LulzSec, any organisation can suddenly find itself the target of an attack, he said.
The theme was picked up in a panel session chaired by Joshua Corman, director of security intelligence for Cambridge Mass.-based Akamai Technologies, which considered the impact of “chaotic actors” or people motivated less by money and more by a desire to make a social or political point, or merely to have fun at the corporate world’s expense.
Corman criticised most enterprises for spending too much money on antivirus systems, when the majority of successful attacks go after Web applications with well-known attack techniques like SQL injection and cross-site scripting. “We spend the least amount of money on the most active attack vector. It’s time to redistribute the investment,” Corman said.
Also on the panel was Aaron Barr, former CEO of technology and security consulting firm HBGary Federal, which carried out an undercover operation to identify members of the hacktivist group Anonymous. Barr suggested companies need to be careful about not attracting the attention of hacktivist, recalling the attacks aimed at Sony during the last year. These attacks, Barr said, were motivated by revenge against Sony because it tried to sue a security researcher who had discovered weaknesses in their system.
“It was not a good strategy to sue the researcher,” Barr said.
Barr said if companies find themselves at the centre of a dispute, they should acknowledge any grievance, engage with complainants, and even admit liability in order to defuse a bad situation.
Corman had one final piece of advice for security professionals: “You need to teach executives not to be so sloppy about what they reveal about themselves on social networking sites,” he said.