Where's the threat?

And other security fairytales

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Comment Goldilocks was very tired by this time, so she went upstairs to the bedroom. She lay down in the first bed, but it was too hard. Then she lay in the second bed, but it was too soft. Then she lay down in the third bed and it was just right. Goldilocks fell asleep.

I'm sure everyone remembers the story of Goldilocks and the three bears: Goldilocks stumbles upon an empty house in the forest and proceeds to sample food, sit on chairs and nap in several beds until the three bears come home. Each time, she's surprised to find that the items belonging to the smallest bear suits her best. What does this fairytale have to do with security? Well, it can come as a surprise when security consultants find themselves in a similar spot.

Today let's imagine the life of a typical security consultant, who we'll call Brownlocks…

Brownlocks is a technical guy. He loves getting his hands dirty and zoning out while hunching over a laptop, inspecting packets or pieces of code. Unfortunately, working on the good stuff is typically only a sliver of the work week. Pre-sales meetings, proposal writing and client development eat up the bulk of his consulting hours - the business side of the house. While reviewing the schedule from a few weeks ago, Brownlocks was ecstatic to find nothing but technical work ahead of him for several days. The technical work is the fun part, yet too often it slides in under the guise of all those meetings, phone calls, discussions and appointments.

The first company on Brownlock’s agenda was a set of meetings with a large company to discuss long term opportunities. Brownlocks got an overview of the enterprise network and some of their security concerns. The large company had experienced explosive growth and success over the past several years and had become heavily dependent on their infrastructure. Every second of downtime would cost big dollars and lost customers. One of the men on staff, quite knowledgeable and already tackling several of the security problems, informed Brownlocks that he was the first and only security person they hired (and he came on board quite recently). Brownlocks stared back in disbelief, a bit shell shocked, as due to the size of this company they should have had a security army. They believed their security was already pretty much in order. While the organization had formed the basic security posture (firewalls, IDS, encryption), Brownlocks knew there was a lot of work to be done. Everywhere he looked, from the design of the network to physical security, he saw big holes. Brownlocks, not one to overreact, found himself cringing at several points during the discussions. He couldn't understand how an organization so dependent upon technology, where money was clearly not a problem, could skimp on security for so long. They faced several challenging problems because most of their business occurred online, further compounding the risks. Yet it seemed security had long been an afterthought. Had they ever experienced an incident? Have they worried about the cost of lost business from getting hacked? They weren't too interested in security services. Due to their overall lack of interest in security, Brownlocks moved on in disbelief.

The next company, a medium sized organization with about 400 people and numerous offices, came by way of referral. Brownlocks had discussed an assessment with this company several times over the past year already, and they were finally ready to proceed. Externally, everything was rock solid, which wasn't a surprise given the network setup they employed. Internally however, it was another story. This company had a very competent IT team, but they were understaffed and overworked. Unfortunately, Brownlocks realized this organization mirrored many businesses of this size in terms of security. They had the basics down, but were in deep trouble if an attacker targeted them or an employee turned malicious. Their team knew this and hoped to address security more directly in the future, when they got caught up on the other work. Sadly, Brownlocks knew that the workload never lightens, and that future may never come. Someone on this small IT team had just left the organization, which meant that security was on the back burner as they scrambled to distribute the additional work among the remaining staff. This company wouldn’t do either.

The last project was a small client who initially contacted Brownlocks last year for an incident response case. They had been hacked at a critical time and needed immediate help eliminating the intruders. That work blossomed into a few other projects, all designed to increase security. They were a small business (50 people) with a couple of satellite offices. They had a small, but sharp IT staff (two people) and a management team that embraced technology. In recent discussions, they requested a penetration test, something 90 per cent of customers mistakenly ask for instead of a vulnerability assessment. But in this case, Brownlocks agreed - they could benefit from such a test. He spent the next few days hammering away. In the report and follow-up discussions, Brownlocks pointed out the remaining weaknesses of the perimeter network. During the project, he couldn't help but think about how far this small organization had come. When they first called him, their internal network had been hit hard and was compromised - an ugly, annoying situation all security professionals fear. Now they were tweaking IDS rules, attempting to close an already minimal set of ports by tightening the firewall and considering further network segmentation. Several employees and the satellite offices were using the new VPN to work remotely. This organization didn't have a lot of resources, but they learned a lesson last year and had since implemented a robust security strategy. The little organization had come full circle and Brownlocks was proud to have played a roll in that. This small company fit him just right.

Back to reality...

Obviously, the small company suited Brownlocks well, just as in our analogy the small bear's items fit Goldilocks. One can only hope to generate the same kind of passion for security with larger companies that many smaller clients already demonstrate. While it can be silly to compare the network concerns of a 50 person company to a 500 or 5,000 person company, the environments are quite different but the need for security is the same.

Lately there has been a lot of talk about stagnation in the security industry. And sometimes we all get bored, myself included - maybe that’s why it's useful to look at a network security fairytale like this. The chatter always seems to be the same: tighten the firewall, use encryption, update your signatures... but for most organizations, there's still a lot more work to be done. And most importantly, the industry is only now beginning to address the really juicy problems, such as trust relationships or application layer security.

As consultants, seeing one client who recognizes the importance of security, regardless of their size, is revivifying. Seeing a mid-sized organization struggle to keep up and then an enterprise-class one in denial (yet in dire need) can be an eye-opening experience. However, we must all pick our battles, and we all have a lot of work to do. I just hope we don't end up like Goldilocks - running for our lives with some angry bears close behind.

Copyright © 2005, SecurityFocus logo

Related stories

World is safe from mobile viruses for a few more years
Your fingerprints are everywhere
Windows 2000: Microsoft's most successful failure

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.