Where's the threat?
And other security fairytales
Comment Goldilocks was very tired by this time, so she went upstairs to the bedroom. She lay down in the first bed, but it was too hard. Then she lay in the second bed, but it was too soft. Then she lay down in the third bed and it was just right. Goldilocks fell asleep.
I'm sure everyone remembers the story of Goldilocks and the three bears: Goldilocks stumbles upon an empty house in the forest and proceeds to sample food, sit on chairs and nap in several beds until the three bears come home. Each time, she's surprised to find that the items belonging to the smallest bear suits her best. What does this fairytale have to do with security? Well, it can come as a surprise when security consultants find themselves in a similar spot.
Today let's imagine the life of a typical security consultant, who we'll call Brownlocks…
Brownlocks is a technical guy. He loves getting his hands dirty and zoning out while hunching over a laptop, inspecting packets or pieces of code. Unfortunately, working on the good stuff is typically only a sliver of the work week. Pre-sales meetings, proposal writing and client development eat up the bulk of his consulting hours - the business side of the house. While reviewing the schedule from a few weeks ago, Brownlocks was ecstatic to find nothing but technical work ahead of him for several days. The technical work is the fun part, yet too often it slides in under the guise of all those meetings, phone calls, discussions and appointments.
The first company on Brownlock’s agenda was a set of meetings with a large company to discuss long term opportunities. Brownlocks got an overview of the enterprise network and some of their security concerns. The large company had experienced explosive growth and success over the past several years and had become heavily dependent on their infrastructure. Every second of downtime would cost big dollars and lost customers. One of the men on staff, quite knowledgeable and already tackling several of the security problems, informed Brownlocks that he was the first and only security person they hired (and he came on board quite recently). Brownlocks stared back in disbelief, a bit shell shocked, as due to the size of this company they should have had a security army. They believed their security was already pretty much in order. While the organization had formed the basic security posture (firewalls, IDS, encryption), Brownlocks knew there was a lot of work to be done. Everywhere he looked, from the design of the network to physical security, he saw big holes. Brownlocks, not one to overreact, found himself cringing at several points during the discussions. He couldn't understand how an organization so dependent upon technology, where money was clearly not a problem, could skimp on security for so long. They faced several challenging problems because most of their business occurred online, further compounding the risks. Yet it seemed security had long been an afterthought. Had they ever experienced an incident? Have they worried about the cost of lost business from getting hacked? They weren't too interested in security services. Due to their overall lack of interest in security, Brownlocks moved on in disbelief.
The next company, a medium sized organization with about 400 people and numerous offices, came by way of referral. Brownlocks had discussed an assessment with this company several times over the past year already, and they were finally ready to proceed. Externally, everything was rock solid, which wasn't a surprise given the network setup they employed. Internally however, it was another story. This company had a very competent IT team, but they were understaffed and overworked. Unfortunately, Brownlocks realized this organization mirrored many businesses of this size in terms of security. They had the basics down, but were in deep trouble if an attacker targeted them or an employee turned malicious. Their team knew this and hoped to address security more directly in the future, when they got caught up on the other work. Sadly, Brownlocks knew that the workload never lightens, and that future may never come. Someone on this small IT team had just left the organization, which meant that security was on the back burner as they scrambled to distribute the additional work among the remaining staff. This company wouldn’t do either.
The last project was a small client who initially contacted Brownlocks last year for an incident response case. They had been hacked at a critical time and needed immediate help eliminating the intruders. That work blossomed into a few other projects, all designed to increase security. They were a small business (50 people) with a couple of satellite offices. They had a small, but sharp IT staff (two people) and a management team that embraced technology. In recent discussions, they requested a penetration test, something 90 per cent of customers mistakenly ask for instead of a vulnerability assessment. But in this case, Brownlocks agreed - they could benefit from such a test. He spent the next few days hammering away. In the report and follow-up discussions, Brownlocks pointed out the remaining weaknesses of the perimeter network. During the project, he couldn't help but think about how far this small organization had come. When they first called him, their internal network had been hit hard and was compromised - an ugly, annoying situation all security professionals fear. Now they were tweaking IDS rules, attempting to close an already minimal set of ports by tightening the firewall and considering further network segmentation. Several employees and the satellite offices were using the new VPN to work remotely. This organization didn't have a lot of resources, but they learned a lesson last year and had since implemented a robust security strategy. The little organization had come full circle and Brownlocks was proud to have played a roll in that. This small company fit him just right.
Back to reality...
Obviously, the small company suited Brownlocks well, just as in our analogy the small bear's items fit Goldilocks. One can only hope to generate the same kind of passion for security with larger companies that many smaller clients already demonstrate. While it can be silly to compare the network concerns of a 50 person company to a 500 or 5,000 person company, the environments are quite different but the need for security is the same.
Lately there has been a lot of talk about stagnation in the security industry. And sometimes we all get bored, myself included - maybe that’s why it's useful to look at a network security fairytale like this. The chatter always seems to be the same: tighten the firewall, use encryption, update your signatures... but for most organizations, there's still a lot more work to be done. And most importantly, the industry is only now beginning to address the really juicy problems, such as trust relationships or application layer security.
As consultants, seeing one client who recognizes the importance of security, regardless of their size, is revivifying. Seeing a mid-sized organization struggle to keep up and then an enterprise-class one in denial (yet in dire need) can be an eye-opening experience. However, we must all pick our battles, and we all have a lot of work to do. I just hope we don't end up like Goldilocks - running for our lives with some angry bears close behind.