Thursday, June 25, 2009

Security and Privacy: Best practices?

For more than a couple decades we have been trying to build secure systems and applications. Enormous time and effort from the academia and industry have taken the technologies surrounding security to new dimensions . However, a majority of these areas that still remain vulnerable to an attack. Operating Systems with weak controls and unaddressed flaws have been widely adopted for cost, ease, and every so often we hear the word "open source" to justify the choice.

Layers of so-called 'security software' layers have been built on top these flaws to mask the fundamental security threats. The configuration of these security layers and the job of having to run them during ciritcal work hours has never gone well with end users creating additional burden. This does not help the systems performance and leaves a lot to be wondered when it comes to creating efficient and smart security software packages. When you consider insider threats, the pre-configured intrusion systems and firewalls do not serve the purpose. On top of these we have malware detection systems and requirement to get latest "live" patches. Yet, I am not sure if we are moving away or closer to securing our critical data. On top of this, identity theft is definitely not declining inspite of all these kewl and secure tools. In fact, identify theft affected almost 10 million victims in 2008 in the United States alone - an embarassing 22% increase from 2007.

I am positive that one of the reasons for these repeated failures is that we are not addressing the root cause of the problem. Threats by nature are all unique. The timing, nature, environment and the state of the application software makes it close to non-replicable. If you give a malware instance an Einsteinic avatar, two objects however identical cannot exist in the same space at the same time. Environment and ecosystem details define the state of the attack and the nature of the entry for the threat. Get this - there cannot be one security system for all attacks. The more artificial and incomplete solutions you throw on top of your core system will add burden to your system making it even more vulnerable. The worst part being your ignorance of the newer potential threats that you have just exposed your systems too. Think about using a pill that cures your headache but carrying unknown health hazards as side effects.

Once upon a time, a wise man by the name Birbal was walking back to his king's palace. Birbal found a man looking for a ring in a heap of sand beside the road. Birbal asked the man if he knew that the ring was in the sand. 'Yes,' was the answer. 'I made a hole and put it in myself to keep it safe.''Didn't you mark the exact place?'' asked Birbal.'Yes. Do you think I would bury a ring of great value without a sign? Right above the place where I buried the ring was a cloud shaped exactly like a camel. Now the cloud has gone, and my ring seems to have gone also. There are many lessons one can infer from this story. One of them being making sure we search for solutions in the right places. This applies apty to privacy and cybersecurity. If an attacker is motivated and has sufficient time and history about a particular system, no system is foolproof. There is no perfect security system as such and an assured denial-of-service attack can be accomplished with enough exposure to a system environment. That is why we use the term "best practices" as the real goal should be to anticipate all the possible threats and construct sufficient defenses against each of the likely threats. Your overall goal has to be to reduce overall risk and minimize the time and extent your system is compromised.

Building generic security tools on top of systems that are not well understood is like sending open invitations to hackers and at the same time is like neglecting the basic premise in secured computing: Only Privileged users can have access to security/admin sections. We need to start thinking on what policies and rules we need to put in while adding on newer pieces of software and then... strictly enforce them. It cannot be the other way. You cannot have a management solution for a technical problem. The other part if to ascertain the true value of assets that we are protecting and determine the tolerance level for a given exposure.

As responsible members of the secured computing ecosystem we need to ensure we do not look for the ring under the cloud where we secured them. Do you feel completely secure completing an online bank transaction? Ignore the insurance part. Here are some recent examples of internal threats where no firewall could have worked its magic wand.

(1) Yusuf Acar, Washington D.C.'s CSO, is still in jail on charges of the bribery scheme he was running out of his office. One of the biggest challenges facing authorities is understanding how pervasive his access was to systems and information in the IT infrastructure - Acar had set up backdoors throughout the organisation through his privileged accounts;

(2) In one of the most infamous cases of privileged abuse, IT worker Terry Childs was charged with bringing San Francisco to a grinding halt last year by using his privileged admin account to lock down the San Francisco IT system;

(3) Fannie Mae narrowly avoided a devastating attack after a former employee used his privileged access to implant a logic bomb on the company's network that could have brought the network down entirely.

So... what questions do you have in your mind? Doubt, they say, isn't the opposite of faith; it is an element of it.

2 comments:

  1. Nice article.Security is one area that will never ever have a near solution.The search continues.

    ReplyDelete
  2. @ Abinaya, Very true!. No fool proof solution here.

    ReplyDelete