Where's the threat?

And other security fairytales

  • alert
  • submit to reddit

SANS - Survey on application security programs

Comment Goldilocks was very tired by this time, so she went upstairs to the bedroom. She lay down in the first bed, but it was too hard. Then she lay in the second bed, but it was too soft. Then she lay down in the third bed and it was just right. Goldilocks fell asleep.

I'm sure everyone remembers the story of Goldilocks and the three bears: Goldilocks stumbles upon an empty house in the forest and proceeds to sample food, sit on chairs and nap in several beds until the three bears come home. Each time, she's surprised to find that the items belonging to the smallest bear suits her best. What does this fairytale have to do with security? Well, it can come as a surprise when security consultants find themselves in a similar spot.

Today let's imagine the life of a typical security consultant, who we'll call Brownlocks…

Brownlocks is a technical guy. He loves getting his hands dirty and zoning out while hunching over a laptop, inspecting packets or pieces of code. Unfortunately, working on the good stuff is typically only a sliver of the work week. Pre-sales meetings, proposal writing and client development eat up the bulk of his consulting hours - the business side of the house. While reviewing the schedule from a few weeks ago, Brownlocks was ecstatic to find nothing but technical work ahead of him for several days. The technical work is the fun part, yet too often it slides in under the guise of all those meetings, phone calls, discussions and appointments.

The first company on Brownlock’s agenda was a set of meetings with a large company to discuss long term opportunities. Brownlocks got an overview of the enterprise network and some of their security concerns. The large company had experienced explosive growth and success over the past several years and had become heavily dependent on their infrastructure. Every second of downtime would cost big dollars and lost customers. One of the men on staff, quite knowledgeable and already tackling several of the security problems, informed Brownlocks that he was the first and only security person they hired (and he came on board quite recently). Brownlocks stared back in disbelief, a bit shell shocked, as due to the size of this company they should have had a security army. They believed their security was already pretty much in order. While the organization had formed the basic security posture (firewalls, IDS, encryption), Brownlocks knew there was a lot of work to be done. Everywhere he looked, from the design of the network to physical security, he saw big holes. Brownlocks, not one to overreact, found himself cringing at several points during the discussions. He couldn't understand how an organization so dependent upon technology, where money was clearly not a problem, could skimp on security for so long. They faced several challenging problems because most of their business occurred online, further compounding the risks. Yet it seemed security had long been an afterthought. Had they ever experienced an incident? Have they worried about the cost of lost business from getting hacked? They weren't too interested in security services. Due to their overall lack of interest in security, Brownlocks moved on in disbelief.

The next company, a medium sized organization with about 400 people and numerous offices, came by way of referral. Brownlocks had discussed an assessment with this company several times over the past year already, and they were finally ready to proceed. Externally, everything was rock solid, which wasn't a surprise given the network setup they employed. Internally however, it was another story. This company had a very competent IT team, but they were understaffed and overworked. Unfortunately, Brownlocks realized this organization mirrored many businesses of this size in terms of security. They had the basics down, but were in deep trouble if an attacker targeted them or an employee turned malicious. Their team knew this and hoped to address security more directly in the future, when they got caught up on the other work. Sadly, Brownlocks knew that the workload never lightens, and that future may never come. Someone on this small IT team had just left the organization, which meant that security was on the back burner as they scrambled to distribute the additional work among the remaining staff. This company wouldn’t do either.

The last project was a small client who initially contacted Brownlocks last year for an incident response case. They had been hacked at a critical time and needed immediate help eliminating the intruders. That work blossomed into a few other projects, all designed to increase security. They were a small business (50 people) with a couple of satellite offices. They had a small, but sharp IT staff (two people) and a management team that embraced technology. In recent discussions, they requested a penetration test, something 90 per cent of customers mistakenly ask for instead of a vulnerability assessment. But in this case, Brownlocks agreed - they could benefit from such a test. He spent the next few days hammering away. In the report and follow-up discussions, Brownlocks pointed out the remaining weaknesses of the perimeter network. During the project, he couldn't help but think about how far this small organization had come. When they first called him, their internal network had been hit hard and was compromised - an ugly, annoying situation all security professionals fear. Now they were tweaking IDS rules, attempting to close an already minimal set of ports by tightening the firewall and considering further network segmentation. Several employees and the satellite offices were using the new VPN to work remotely. This organization didn't have a lot of resources, but they learned a lesson last year and had since implemented a robust security strategy. The little organization had come full circle and Brownlocks was proud to have played a roll in that. This small company fit him just right.

Back to reality...

Obviously, the small company suited Brownlocks well, just as in our analogy the small bear's items fit Goldilocks. One can only hope to generate the same kind of passion for security with larger companies that many smaller clients already demonstrate. While it can be silly to compare the network concerns of a 50 person company to a 500 or 5,000 person company, the environments are quite different but the need for security is the same.

Lately there has been a lot of talk about stagnation in the security industry. And sometimes we all get bored, myself included - maybe that’s why it's useful to look at a network security fairytale like this. The chatter always seems to be the same: tighten the firewall, use encryption, update your signatures... but for most organizations, there's still a lot more work to be done. And most importantly, the industry is only now beginning to address the really juicy problems, such as trust relationships or application layer security.

As consultants, seeing one client who recognizes the importance of security, regardless of their size, is revivifying. Seeing a mid-sized organization struggle to keep up and then an enterprise-class one in denial (yet in dire need) can be an eye-opening experience. However, we must all pick our battles, and we all have a lot of work to do. I just hope we don't end up like Goldilocks - running for our lives with some angry bears close behind.

Copyright © 2005, SecurityFocus logo

Related stories

World is safe from mobile viruses for a few more years
Your fingerprints are everywhere
Windows 2000: Microsoft's most successful failure

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.