Entries Tagged "business of security"

Page 5 of 5

Do We Really Need a Security Industry?

Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?

I mentioned this in an interview with Silicon.com, and the published article seems to have caused a bit of a stir. Rather than letting people wonder what I really meant, I thought I should explain.

The primary reason the IT security industry exists is because IT products and services aren’t naturally secure. If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.

Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn’t help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity — companies who will lose money if the internet becomes more secure.

Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the internet. Initially we’d still be spending a comparable amount of money per year on security — on secure development practices, on embedded security and so on — but some of that money would be going into improving the quality of the IT products we’re buying, and would reduce the amount we spend on security in future years.

I know this is a utopian vision that I probably won’t see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers — whether home users or multinational corporations — care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure.

Eight years ago, I formed Counterpane Internet Security on the premise that end users (big corporate users, in this case) really don’t want to have to deal with network security. They want to fly airplanes, produce pharmaceuticals or do whatever their core business is. They don’t want to hire the expertise to monitor their network security, and will gladly farm it out to a company that can do it for them. We provided an array of services that took day-to-day security out of the hands of our customers: security monitoring, security-device management, incident response. Security was something our customers purchased, but they purchased results, not details.

Last year BT bought Counterpane, further embedding network security services into the IT infrastructure. BT has customers that don’t want to deal with network management at all; they just want it to work. They want the internet to be like the phone network, or the power grid, or the water system; they want it to be a utility. For these customers, security isn’t even something they purchase: It’s one small part of a larger IT services deal. It’s the same reason IBM bought ISS: to be able to have a more integrated solution to sell to customers.

This is where the IT industry is headed, and when it gets there, there’ll be no point in user conferences like Infosec and RSA. They won’t go away; they’ll simply become industry conferences. If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success.

Of course, security products won’t disappear — at least, not in my lifetime. There’ll still be firewalls, antivirus software and everything else. There’ll still be startup companies developing clever and innovative security technologies. But the end user won’t care about them. They’ll be embedded within the services sold by large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast. Or they’ll be a check-box item somewhere in the core switch.

IT security is getting harder — increasing complexity is largely to blame — and the need for aftermarket security products isn’t disappearing anytime soon. But there’s no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it’s helpful in spotting SQL injection attacks. The whole IT security industry is an accident — an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work — and the details of how it works won’t matter.

This was my 41st essay for Wired.com.

EDITED TO ADD (5/3): Commentary.

EDITED TO ADD (5/4): More commentary.

EDITED TO ADD (5/10): More commentary.

Posted on May 3, 2007 at 10:09 AMView Comments

Private Police Forces

In Raleigh, N.C., employees of Capitol Special Police patrol apartment buildings, a bowling alley and nightclubs, stopping suspicious people, searching their cars and making arrests.

Sounds like a good thing, but Capitol Special Police isn’t a police force at all — it’s a for-profit security company hired by private property owners.

This isn’t unique. Private security guards outnumber real police more than 5-1, and increasingly act like them.

They wear uniforms, carry weapons and drive lighted patrol cars on private properties like banks and apartment complexes and in public areas like bus stations and national monuments. Sometimes they operate as ordinary citizens and can only make citizen’s arrests, but in more and more states they’re being granted official police powers.

This trend should greatly concern citizens. Law enforcement should be a government function, and privatizing it puts us all at risk.

Most obviously, there’s the problem of agenda. Public police forces are charged with protecting the citizens of the cities and towns over which they have jurisdiction. Of course, there are instances of policemen overstepping their bounds, but these are exceptions, and the police officers and departments are ultimately responsible to the public.

Private police officers are different. They don’t work for us; they work for corporations. They’re focused on the priorities of their employers or the companies that hire them. They’re less concerned with due process, public safety and civil rights.

Also, many of the laws that protect us from police abuse do not apply to the private sector. Constitutional safeguards that regulate police conduct, interrogation and evidence collection do not apply to private individuals. Information that is illegal for the government to collect about you can be collected by commercial data brokers, then purchased by the police.

We’ve all seen policemen “reading people their rights” on television cop shows. If you’re detained by a private security guard, you don’t have nearly as many rights.

For example, a federal law known as Section 1983 allows you to sue for civil rights violations by the police but not by private citizens. The Freedom of Information Act allows us to learn what government law enforcement is doing, but the law doesn’t apply to private individuals and companies. In fact, most of your civil right protections apply only to real police.

Training and regulation is another problem. Private security guards often receive minimal training, if any. They don’t graduate from police academies. And while some states regulate these guard companies, others have no regulations at all: anyone can put on a uniform and play policeman. Abuses of power, brutality, and illegal behavior are much more common among private security guards than real police.

A horrific example of this happened in South Carolina in 1995. Ricky Coleman, an unlicensed and untrained Best Buy security guard with a violent criminal record, choked a fraud suspect to death while another security guard held him down.

This trend is larger than police. More and more of our nation’s prisons are being run by for-profit corporations. The IRS has started outsourcing some back-tax collection to debt-collection companies that will take a percentage of the money recovered as their fee. And there are about 20,000 private police and military personnel in Iraq, working for the Defense Department.

Throughout most of history, specific people were charged by those in power to keep the peace, collect taxes and wage wars. Corruption and incompetence were the norm, and justice was scarce. It is for this very reason that, since the 1600s, European governments have been built around a professional civil service to both enforce the laws and protect rights.

Private security guards turn this bedrock principle of modern government on its head. Whether it’s FedEx policemen in Tennessee who can request search warrants and make arrests; a privately funded surveillance helicopter in Jackson, Miss., that can bypass constitutional restrictions on aerial spying; or employees of Capitol Special Police in North Carolina who are lobbying to expand their jurisdiction beyond the specific properties they protect — privately funded policemen are not protecting us or working in our best interests.

This op ed originally appeared in the Minneapolis Star-Tribune.

EDITED TO ADD (4/2): This is relevant.

Posted on February 27, 2007 at 6:02 AMView Comments

Business Models for Discovering Security Vulnerabilities

One company sells them to the vendors:

The founder of a small Moscow security company, Gleg, Legerov scrutinizes computer code in commonly used software for programming bugs, which attackers can use to break into computer systems, and sends his findings to a few dozen corporate customers around the world. Each customer pays more than $10,000 for information it can use to plug the hidden holes in its computers and stay ahead of criminal hackers.

iDefensebuys them:

This month, iDefense, a Virginia- based subsidiary of the technology company VeriSign, began offering an $8,000 bounty to the first six researchers to find holes in Vista or the newest version of Internet Explorer, and up to $4,000 more for code that take can advantage of the weaknesses. Like Gleg, iDefense, will sell information about those vulnerabilities to companies and government agencies for an undisclosed amount, though iDefense makes it a practice to alert vendors like Microsoft first.

So do criminals:

But the iDefense rewards are low compared to bounties offered on the black market. In December, the Japanese antivirus company TrendMicro found a Vista vulnerability being offered by an anonymous hacker on a Romanian Web forum for $50,000.”

There’s a lot of FUD in this article, but also some good stuff.

Posted on February 5, 2007 at 12:44 PMView Comments

Why Management Doesn't Get IT Security

At the request of the Department of Homeland Security, a group called The Conference Board completed a study about senior management and their perceptions of IT security. The results aren’t very surprising.

Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for security.

Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. “Security directors appear to be politically isolated within their companies,” Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don’t have many allies in getting their message across to upper management.

What to do? The report has some suggestions, the same ones you can hear at any security conference anywhere.

Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. “Risk managers are among the best potential allies,” he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.

“That can be tricky, because most risk managers come from a financial background, and they don’t speak the same language as the security people,” Cavanagh notes. “It’s also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company’s business, but have a very low likelihood of occurrence, so it’s very hard to gauge the risk.”

Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).

Face time is another important way to gain attention in mahogany row, the report says. In industries where there are critical infrastructure issues, such as financial services, about 66 percent of top executives meet at least once a month with their security director, according to the study. That figure dropped to around 44 percent in industries without critical infrastructure issues.

I guess it’s more confirmation of the conventional wisdom.

The full report is available, but it costs $125 if you’re something called a Conference Board associate, and $495 if you’re not. But my guess is that you’ve already heard everything that’s in it.

Posted on November 8, 2006 at 6:15 AMView Comments

Stupid Security Awards Nominations Open

Get your nominations in.

The “Stupid Security Awards” aim to highlight the absurdities of the security industry. Privacy International’s director, Simon Davies, said his group had taken the initiative because of “innumerable” security initiatives around the world that had absolutely no genuine security benefit. The awards were first staged in 2003 and attracted over 5,000 nominations. This will be the second competition in the series.

“The situation has become ridiculous” said Mr Davies. “Security has become the smokescreen for incompetent and robotic managers the world over”.

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

[…]

Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:

  • Most Egregiously Stupid Award
  • Most Inexplicably Stupid Award
  • Most Annoyingly Stupid Award
  • Most Flagrantly Intrusive Award
  • Most Stupidly Counter Productive Award

The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists.

Posted on August 28, 2006 at 7:39 AMView Comments

CardSystems Exposes 40 Million Identities

The personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions. The details are still unclear. The New York Times reports that “data from roughly 200,000 accounts from MasterCard, Visa and other card issuers are known to have been stolen in the breach,” although 40 million were vulnerable. The theft was an intentional malicious computer hacking activity: the first in all these recent personal-information breaches, I think. The rest were accidental — backup tapes gone walkabout, for example — or social engineering hacks. Someone was after this data, which implies that’s more likely to result in fraud than those peripatetic backup tapes.

CardSystems says that they found the problem, while MasterCard maintains that they did; the New York Times agrees with MasterCard. Microsoft software may be to blame. And in a weird twist, CardSystems admitted they weren’t supposed to keep the data in the first place.

The official, John M. Perry, chief executive of CardSystems Solutions…said the data was in a file being stored for “research purposes” to determine why certain transactions had registered as unauthorized or uncompleted.

Yeah, right. Research = marketing, I’ll bet.

This is exactly the sort of thing that Visa and MasterCard are trying very hard to prevent. They have imposed their own security requirements on companies — merchants, processors, whoever — that deal with credit card data. Visa has instituted a Cardholder Information Security Program (CISP). MasterCard calls its program Site Data Protection (SDP). These have been combined into a single joint security standard, PCI, which also includes Discover, American Express, JCB, and Diners Club. (More on Visa’s PCI program.)

PCI requirements encompass network security, password management, stored-data encryption, access control, monitoring, testing, policies, etc. And the credit-card companies are backing these requirements up with stiff penalties: cash fines of up to $100,000, increased transaction fees, orand termination of the account. For a retailer that does most of its business via credit cards, this is an enormous incentive to comply.

These aren’t laws, they’re contractual business requirements. They’re not imposed by government; the credit card companies are mandating them to protect their brand.

Every credit card company is terrified that people will reduce their credit card usage. They’re worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They’re worried about how their brands are perceived by the public. And they don’t want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud. (Or, at least, by giving reporters the opportunity to write headlines like “CardSystems Solutions hands over 40M credit cards to hackers.”)

So independent of any laws or government regulations, the credit card companies are forcing companies that process credit card data to increase their security. Companies have to comply with PCI or face serious consequences.

Was CardSystems in compliance? They should have been in compliance with Visa’s CISP by 30 September 2004, and certainly they were in the highest service level. (PCI compliance isn’t required until 30 June 2005 — about a week from now.) The reality is more murky.

After the disclosure of the security breach at CardSystems, varying accounts were offered about the company’s compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard’s standards. “They were in violation of our rules,” she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems “a limited amount of time” to do so.

Asked about compliance with Visa’s standards, a Visa spokeswoman, Rosetta Jones, said, “This particular processor was not following Visa’s security requirements when we found out there was a potential data compromise.”

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

All of this demonstrates some limitations of any certification system. One, companies can take advantage of interpersonal and intercompany politics to get themselves special treatment with respect to the policies. And two, all audits rely to a great extent on self-assessment and self-disclosure. If a company is willing to lie to an auditor, it’s unlikely that it will get caught.

Unless they get really caught, like this incident.

Self-reporting only works if the punishment exceeds the crime. The reason people accurately declare what they bring into the country on their customs forms, for example, is because the penalties for lying are far more expensive than paying any duty owed.

If the credit card industry wants their PCI requirements taken seriously, they need to make an example out of CardSystems. They need to revoke whatever credit card processing license CardSystems has, to the maximum extent possible by whatever contracts they have in place. Only by making CardSystems a demonstration of what happens to someone who doesn’t comply will everyone else realize that they had better comply.

(CardSystems should also face criminal prosecution, but that’s unlikely in today’s business-friendly political environment.)

I have great hopes for PCI. I like security solutions that involve contracts between companies more than I like government intervention. Often the latter is required, but the former is more effective. Here’s PCI’s chance to demonstrate their effectiveness.

Posted on June 23, 2005 at 8:55 AMView Comments

Company Continues Bad Information Security Practices

Stories about thefts of personal data are dime-a-dozen these days, and are generally not worth writing about.

This one has an interesting coda, though.

An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of SafeNet’s U.S. employees, snapped it into a briefcase and placed the briefcase in a car.

The car was broken into over the weekend and the briefcase stolen — along with the employees’ names, bank account numbers and Social Security numbers that were on the printouts, a company spokeswoman confirmed yesterday.

My guess is that most readers can point out the bad security practices here. One, the Social Security numbers and bank account numbers should not be kept with the bulk of the payroll data. Ideally, they should use employee numbers and keep sensitive (but irrelevant for most of the payroll process) information separate from the bulk of the commonly processed payroll data. And two, hard copies of that sensitive information should never go home with employees.

But SafeNet won’t learn from its mistake:

The company said no policies were violated, and that no new policies are being written as a result of this incident.

The irony here is that this is a security company.

Posted on May 10, 2005 at 3:00 PMView Comments

Security Information Management Systems (SIMS)

The computer security industry is guilty of overhyping and underdelivering. Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products — and are still insecure.

Firewalls didn’t keep out network attackers — in fact, the notion of “perimeter” is severely flawed. Intrusion detection systems (IDSs) didn’t keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products. It’s in this context that I want to evaluate Security Information Management Systems, or SIMS, which promise to solve a serious network problem: log analysis.

Computer logs are a goldmine of security information, containing not just IDS alerts, but messages from firewalls, servers, applications, and other network devices. Your network produces megabytes of these logs every day, and hidden in them are attack footprints. The trick is finding and reacting to them fast enough.

Analyzing log messages can determine how the attacker broke in, what he accessed, whether any backdoors were added, and so on. The idea behind log analysis is that if you can read the log messages in real time, you can figure out what the attacker is doing. And if you can respond fast enough, you can kick him out before he does damage. It’s security detection and response. Log analysis works, whether or not you use SIMS.

Even better, it works against a wide variety of risks. Unlike point solutions, security monitoring is general. Log analysis can detect attackers regardless of their tactics.

But SIMS don’t live up to the hype, because they’re missing the essential ingredient that so many other computer security products lack: human intelligence. Firewalls often fail because they’re configured and maintained improperly. IDSs are often useless because there’s no one to respond to their alerts — or to separate the real attacks from the false alarms. SIMS have the same problem: unless there’s a human expert monitoring them, they’re not defending anything. The tools are only as effective as the people using them.

SIMS require vigilance: attacks can happen at any time of the day and any day of the year. Consequently, staffing requires five fulltime employees; more, if you include supervisors and backup personnel with more specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today’s job market. And attacks against a single organization don’t happen often enough to keep a team of this caliber engaged and interested.

Back in 1999, I founded Counterpane Internet Security; we sell an outsourced service called Managed Security Monitory, in which trained security analysts monitor IDS alerts and log messages. Because of the information our analysts received from the network — in real time — as well as their training and expertise, the analysts could detect attacks in progress and provide customers with a level of security they were incapable of achieving otherwise.

When building the Counterpane monitoring service in 1999, we examined log-monitoring appliances from companies like Intellitactics and e-Security. Back then, they weren’t anywhere near good enough for us to use, so we developed our own proprietary system. Today, because of the caliber of the human analysts who use the Counterpane system, it’s much better than any commercial SIMS. We were able to design it with our expert detection-and-response analysts in mind, and not the general sysadmin market.

The key to network security is people, not products. Piling more security products, such as SIMS, only our network won’t help. This is why I believe that network security will eventually be outsourced. There’s no other cost-effective way to reliably get the experts you need, and therefore no other cost-effective way to reliably get security.

This originally appeared in the September/October 2004 issue of IEEE Security and Privacy Magazine.

Posted on October 20, 2004 at 6:03 PMView Comments

1 3 4 5

Sidebar photo of Bruce Schneier by Joe MacInnis.