November 2002
Misguided Thinking
5 misconceptions continue to hamper overall security.
BY Jay Heiser
Certain ill-conceived ideas have become fixed in the common infosec
imagination. These unfortunate "rules of thumb" have grown like cancers,
displacing healthier and more productive ideas. They serve as mental crutches,
allowing overworked managers and admins to make quick and "justifiable"
decisions instead of admitting that the real answers are quite hard to find.
It's often easier to be wrong but harmonious, than to engage in a neverending
internal battle. Ignorance may be bliss, but it's a really bad model for a
successful infosec program.
In a field like infosec, we can't afford to assume that we know everything.
Here are five answers that never should be applied to difficult problems:
Misconception 1: All vulnerabilities need fixing. Some people can't see a
loose thread hanging from a jacket without having an uncontrollable urge to pull
it--like some security folks can't rest knowing that their systems have
vulnerabilities. We're bombarded by thousands of annoying reports about
vulnerabilities that will never be exploited in a significant way. Even if a
specific vulnerability becomes popular with crackers, it's still of no
consequence unless the attackers can reach it. We need to learn to live with
imperfection.
Misconception 2: No host is safe unless it's behind a firewall. Firewalls
aren't walls at all, but rather doors that allow a relatively trusted network to
exchange traffic under controlled conditions with a less trusted network.
They're a useful expedient because it's neither practical nor desirable to
completely harden every system on a WAN.
Unfortunately, faith in firewalls encourages sysadmins to ignore real
vulnerabilities, which are increasingly reached through application protocol
traffic that flows freely through these controlled gateways.
Given that Internet-facing servers should be configured to resist all known
attacks, why should we feel compelled to put firewalls in front of them? Because
we think of firewalls like big expensive vitamins--grab a couple whenever you're
feeling weak. Firewalls aren't universal security enhancers--they're tools that
are only worth the bother in specific circumstances.
Misconception 3: Insiders represent the biggest threat. In terms of lost productivity and fraud, hostile insiders certainly are more significant than external attackers. But in terms of what keeps corporate leaders awake at night, hackers beat evil sysadmins every time.
Most organizations can withstand quite a bit of disruption, as long as nobody on the outside is aware of it. Embarrassment is in one of the biggest motivator for healthy security budgets. While publicists would have you believe that there�s no such thing as bad news, there are damn few organizations that would benefit from having a security breach reported on the evening news. A firm�s reputation takes years to create and can be destroyed in a day. Given readers� insatiable appetite for bad news, it makes good sense to make the avoidance of bad PR a significant factor in the risk equation.
Misconception 4: Java security is inadequate. The "vulnerability Cassandras"
have been crying about Java security risks for six years, but we're still
waiting for a significant event. Is Java a potential risk? Yes. Does it
represent a significant vulnerability? Not yet. Certainly the campaign to warn
against Java vulnerabilities has encouraged hyper-attention to the engineering
of Java security. It can also be argued that years of crying wolf has diminished
users' confidence in security professionals' ability to predict future threats.
Misconception 5: Cyberterrorism. Terrorism may be on the increase, but there is no compelling evidence that terrrorists are going to use the Internet in a way that will significantly affect our infosec risk. They promulgate their political agenda by performing physical acts which result in terror. In the digital realm, they can steal money and perform intelligence gathering, but the Internet offers them nothing with the psychological impact of knocking over an office building.
The risk of politically motivated attacks against our computing infrastructure is definitely increasing, but mostly at the script-kiddie and hacker level. Real terrorists have much more ambitious plans than hacking web sites. If you are concerned about terrorism, then increase the emphasis on your disaster recovery plan.
Dramatic warnings about information warfare have always played well on the lecture circuit, but it's shameful to exploit the September 11 attacks to sell infosec products or increase our budgets.
Columnist JAY HEISER, CISSP,
works for a large European bank in London. His most recent book is Computer
Forensics: Incident Response Essentials (Addison-Wesley,
2001).
