Where's the threat?

And other security fairytales

  • alert
  • submit to reddit

Security for virtualized datacentres

Comment Goldilocks was very tired by this time, so she went upstairs to the bedroom. She lay down in the first bed, but it was too hard. Then she lay in the second bed, but it was too soft. Then she lay down in the third bed and it was just right. Goldilocks fell asleep.

I'm sure everyone remembers the story of Goldilocks and the three bears: Goldilocks stumbles upon an empty house in the forest and proceeds to sample food, sit on chairs and nap in several beds until the three bears come home. Each time, she's surprised to find that the items belonging to the smallest bear suits her best. What does this fairytale have to do with security? Well, it can come as a surprise when security consultants find themselves in a similar spot.

Today let's imagine the life of a typical security consultant, who we'll call Brownlocks…

Brownlocks is a technical guy. He loves getting his hands dirty and zoning out while hunching over a laptop, inspecting packets or pieces of code. Unfortunately, working on the good stuff is typically only a sliver of the work week. Pre-sales meetings, proposal writing and client development eat up the bulk of his consulting hours - the business side of the house. While reviewing the schedule from a few weeks ago, Brownlocks was ecstatic to find nothing but technical work ahead of him for several days. The technical work is the fun part, yet too often it slides in under the guise of all those meetings, phone calls, discussions and appointments.

The first company on Brownlock’s agenda was a set of meetings with a large company to discuss long term opportunities. Brownlocks got an overview of the enterprise network and some of their security concerns. The large company had experienced explosive growth and success over the past several years and had become heavily dependent on their infrastructure. Every second of downtime would cost big dollars and lost customers. One of the men on staff, quite knowledgeable and already tackling several of the security problems, informed Brownlocks that he was the first and only security person they hired (and he came on board quite recently). Brownlocks stared back in disbelief, a bit shell shocked, as due to the size of this company they should have had a security army. They believed their security was already pretty much in order. While the organization had formed the basic security posture (firewalls, IDS, encryption), Brownlocks knew there was a lot of work to be done. Everywhere he looked, from the design of the network to physical security, he saw big holes. Brownlocks, not one to overreact, found himself cringing at several points during the discussions. He couldn't understand how an organization so dependent upon technology, where money was clearly not a problem, could skimp on security for so long. They faced several challenging problems because most of their business occurred online, further compounding the risks. Yet it seemed security had long been an afterthought. Had they ever experienced an incident? Have they worried about the cost of lost business from getting hacked? They weren't too interested in security services. Due to their overall lack of interest in security, Brownlocks moved on in disbelief.

The next company, a medium sized organization with about 400 people and numerous offices, came by way of referral. Brownlocks had discussed an assessment with this company several times over the past year already, and they were finally ready to proceed. Externally, everything was rock solid, which wasn't a surprise given the network setup they employed. Internally however, it was another story. This company had a very competent IT team, but they were understaffed and overworked. Unfortunately, Brownlocks realized this organization mirrored many businesses of this size in terms of security. They had the basics down, but were in deep trouble if an attacker targeted them or an employee turned malicious. Their team knew this and hoped to address security more directly in the future, when they got caught up on the other work. Sadly, Brownlocks knew that the workload never lightens, and that future may never come. Someone on this small IT team had just left the organization, which meant that security was on the back burner as they scrambled to distribute the additional work among the remaining staff. This company wouldn’t do either.

The last project was a small client who initially contacted Brownlocks last year for an incident response case. They had been hacked at a critical time and needed immediate help eliminating the intruders. That work blossomed into a few other projects, all designed to increase security. They were a small business (50 people) with a couple of satellite offices. They had a small, but sharp IT staff (two people) and a management team that embraced technology. In recent discussions, they requested a penetration test, something 90 per cent of customers mistakenly ask for instead of a vulnerability assessment. But in this case, Brownlocks agreed - they could benefit from such a test. He spent the next few days hammering away. In the report and follow-up discussions, Brownlocks pointed out the remaining weaknesses of the perimeter network. During the project, he couldn't help but think about how far this small organization had come. When they first called him, their internal network had been hit hard and was compromised - an ugly, annoying situation all security professionals fear. Now they were tweaking IDS rules, attempting to close an already minimal set of ports by tightening the firewall and considering further network segmentation. Several employees and the satellite offices were using the new VPN to work remotely. This organization didn't have a lot of resources, but they learned a lesson last year and had since implemented a robust security strategy. The little organization had come full circle and Brownlocks was proud to have played a roll in that. This small company fit him just right.

Back to reality...

Obviously, the small company suited Brownlocks well, just as in our analogy the small bear's items fit Goldilocks. One can only hope to generate the same kind of passion for security with larger companies that many smaller clients already demonstrate. While it can be silly to compare the network concerns of a 50 person company to a 500 or 5,000 person company, the environments are quite different but the need for security is the same.

Lately there has been a lot of talk about stagnation in the security industry. And sometimes we all get bored, myself included - maybe that’s why it's useful to look at a network security fairytale like this. The chatter always seems to be the same: tighten the firewall, use encryption, update your signatures... but for most organizations, there's still a lot more work to be done. And most importantly, the industry is only now beginning to address the really juicy problems, such as trust relationships or application layer security.

As consultants, seeing one client who recognizes the importance of security, regardless of their size, is revivifying. Seeing a mid-sized organization struggle to keep up and then an enterprise-class one in denial (yet in dire need) can be an eye-opening experience. However, we must all pick our battles, and we all have a lot of work to do. I just hope we don't end up like Goldilocks - running for our lives with some angry bears close behind.

Copyright © 2005, SecurityFocus logo

Related stories

World is safe from mobile viruses for a few more years
Your fingerprints are everywhere
Windows 2000: Microsoft's most successful failure

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.