Opinion

How history of security shows we have not learnt our lesson

History moves in cycles; given the speed of the technology world, it is no surprise that the cycles turn faster here and you do not need to look too far back to see the patterns repeat. In the contemporary world of information security, the late 1990s are feeling awfully familiar.

1999 was a red-letter year for infosecurity – the internet had reached near-ubiquity and information security was making itself known far outside the system administrator community. 

People had heard "computer hackers" mentioned in the news and in film before, but the bogeyman had come out from under the bed and people were finding their shiny, new company websites defaced, their email accounts broken into and no shortage of hand-wringing news stories about how evil hackers were accelerating the downfall of humanity.

On the other side of the coin however, information security began to drag itself out of models built 30 years before and started to undergo its own rapid evolution. Papers, tools and technologies began to emerge in rapid succession and, collectively, the security community discussed many of the core tenets of the field, in the process realising that many aspects of how we had done security previously were unsustainable. Only a fundamental reworking of the core principles would do anything to hold back attackers on an asymmetric battlefield.

As rapidly as enterprises took to embracing information technology, their willingness to budget for and adopt security practices was the inverse of that. Soon the battlefield changed however, as computer crime became the new land of opportunity for organised crime, and the effects of security breaches began to appear on the bottom line of the accounting ledger. 

Computer intrusion had traditionally been something of an art form from an individual picking a target and slowly working their way through system after system to their target – a matter of skill, persistence and bragging rights. Organised crime cared nothing for these things though - results (in the form of money) were all that mattered - and playing the numbers game with wave after wave of ever-evolving opportunistic malware become the new norm on the security front, casting as wide a net as possible. 

For a great percentage of the people employed in information security work today, the world of criminal malware is all they have ever known and the vast majority of security response work in the enterprise today revolves on detecting and cleaning hosts compromised by malware. This became the way of the world, with any thought as to who was pushing the malware in the first place only a passing concern - nebulous "cyber criminals". This was just the cost of doing business in the information age.

Shift of emphasis

And then, in 2010, things started to change, or at least, the common perception of them did. Operation Aurora was across the news. Not the infosecurity news, not the tech news, but mass media. 

"Chinese hackers break into Google" was the sound of the dam breaking, as the perception of information security moved from "protect our credit cards" to "protect our national secrets" in the public eye. Gone were the days of the ubiquitous malware searching after our banking credentials, each one painstakingly catalogued by the antivirus suppliers. 

The arrival of the carefully-targeted attack, driven by an individual persistently working his way through the victim's infrastructure, had arrived. The advanced persistent threat (APT) was the new night terror for business and security practitioners alike, the genie was out of the bottle, the sky was falling and... didn't this all seem a little familiar?

As major security organisations started launching periodic updates on the state of these attacks, and their targeted, customised nature, the details emerged over time that attackers were relying less on the classic malware toolkits and more on general purpose system administration and classic hacking techniques - the same kind of skills that were considered cutting edge in 1999. 

Mandiant Corporation famously said in recent months: "Malware tells only half the story," referring to the increasing use of methods of intrusion that do not use uniquely finger printable tools that can be detected by signature-based controls, instead using the same tools that the target's own system administration staff use - all to blend in more with normal network activity.

Meet the 'new' wave

For a generation of security practitioners raised on the "One Signature, One Attack" model of detection that the rise of malware made possible, this is a frighteningly "new" turn of events. But if you are an old hand in this game, everything old is new again, every attack looks different once more and there are no turnkey solutions for that.

Of course, beneath the wave of media and supplier hype, the security community bubbled away in discontent at the fervour - if there is one thing every security practitioner is tired of telling people, it must be "I told you so!" as we shook our heads over the inability to grasp that "new to you" is not "new to everyone". At least the APT bogeyman had renewed the C-level interest in waning security budgets – right in the middle of a financial downturn.

We resigned ourselves to complaining among ourselves in the echo chamber that is the security community – just as we did over a decade before – about how the current models and practices were fundamentally broken and unsustainable.

Just as with 1999, identifying what did not work, became "thought leadership" once more. 

And the discussion over what actually does work? Once again, that happened behind closed doors. 

In the world of security, people are reticent to discuss failures that others may learn from them and when it comes to things that actually work, they remain forever tight-lipped, fearing that sharing the knowledge may lead attackers to adapt to the defences.

And so, all possibility of the kind of collective research that may lead to any truly fundamental progress in the nature of the field is denied to us, victims of our own secrecy. The next great idea will be watered down into another market sector in the security solutions industry, implemented by many, mastered by none. The cycle starts again.

And those fundamentals? They are that security is difficult, meticulous, often boring work when done right; and if people are the greatest weakness in security, they are also its greatest strength. So much of what is information security operates on the fringes, the tail of the curve, the places where only the human brain's ability for pattern recognition excels. There is no security control more effective than a diligent system administrator, reading his log files and noticing that something looks awry in them.


Conrad Constantine is a research engineer at AlienVault


Image: iStockphoto/Thinkstock

This was first published in October 2012

 

COMMENTS powered by Disqus  //  Commenting policy