You Can’t Buy Security

Executive Summary: stop buying $tupid $tuff thinking that it will make you more secure.  Fix your fundamentals; there is no magic bullet.

Recently we’ve seen a spate of encryption products show up on the market.  Not to put too fine a point on it, but other people way smarter than us have said repeatedly that you cannot buy your way to secure, and this product family goes above an beyond in support of the argument that buying more security products is wasteful and stupid.  Without naming names, these products “enhance” intranet security by “grouping” servers into trusted and untrusted zones, and offering various tricks for either encrypting communication or denying access.

Now, that sounds an awful lot like what firewalls, VPN’s, and ACL’s do.  And pretty much everyone with anything worth protecting already has those.  While this “new” technology claims to make the job easier by integrating with directory services, the result doesn’t seem to add any additional security.  Let’s examine the specifics.

Server A and server B need to exchange information, and server C, which is not part of the security group, sits on the same switch in the data center.  Server A and B, without any additional technology, can exchange their valuable data in a switched environment, and C can’t see it.  Pretty simple.  If, however, we can compromise the switched environment, via ARP-spoofing or what have you, C can snoop on the transmission.  So more security seems in order.

Add to the mix that server A & B can encrypt their traffic using certificates.  Now C can spoof it and obtain the traffic, but it’s encrypted.  If C can compromise the encryption, by obtaining a copy of the A or B certificate and then attacking the conversation with a man-in-the-middle attack, again, C can get the data.

If A & B implement two factor authentication, using something that can’t be taken off the wire by C, such as an external key, we make the transaction sufficiently complex that we can essentially disregard the threat and accept the remaining risk.

However, if the intruder has access to the network devices at all, the entire exercise is futile, because they’re already inside the perimeter.  Even if they can’t sniff the traffic, they can always compromise the servers directly, which means adding firewalls and alerting to the mix.

That results in a very strong security model, provided everything’s done right of course.

Now look at the addition of software that does all that for us for an additional fee.  What have we gained?  Encrypted communications?  Check.  Source/destination authentication? Check.  Intrusion detection?  Nope.  Wait.  What?  I still need the detection and alerting capabilities?  Yes.  No matter what you need detection and alerting.  It’s part of the fundamental security model.  And if you’ve got detection and alerting working right with everything else, you’ll spot attacks early enough to prevent loss.

You’ve got a detection and alerting system, right?  Watching for anomalies in behavior and data flow?  That’s the #1 priority if not.

But if you have that, and you add the fancy control software, have you gained anything?  Nope.  We have nothing beyond what we had using native technologies that most of the target-market companies already have in place.

What you have gained in addition, is a negative value.  The new system is going to require management.  Since you aren’t shutting off the other stuff, it’s in addition and doesn’t save you anything; it adds to cost.  The new system is going to require monitoring and alerting, which means adding it into your existing capabilities and updating rules, which is an additional cost.  The new system is going to require testing and patching, and since nothing has gone away, it’s in addition to your existing efforts, which makes it an additional cost.  Finally, it’s one more piece of software, increasing your number of attack vectors by one, which is an additional risk.

All in all, not a great day to be selling product X.

What’s worse, some of these vendors are telling people to use their encryption to pass traffic across the ‘net, ala a VPN style connection, only from server to server, and not from firewall to firewall, or at least VPN device to VPN device.  While it’s possible application vendor SoAndSo does do VPN technology better than VPN technology vendor Namebrand, I would bet that it doesn’t.  But even if they do, it’s still no gain over existing technology, meaning it’s still a cost and this is not a redeeming feature.

What it comes down to is what it’s always come down to.  You need to do the basics, and you need to do them well.  It doesn’t matter what you buy if your passwords are weak, and it doesn’t matter that you encrypt if you leave your certificates laying around.  So instead of spending $tupid monie$ on shill-ware like this stuff, invest that money in your people and in doing things right.  You don’t need yet another security tool, it won’t fix anything, and it’s a waste of money.

Demonstrating Value in an Information Security Program

Demonstrating value is key in a corporate setting for running an effective information security program.  If your management team doesn’t clearly understand what benefit they all derive from security, the program will suffer over time.

Demonstrating some value is easy if you have historical metrics.  Metrics being a whole ‘nother topic.  Without them, illustrating value becomes much more difficult, but only for routine items, the kind that don’t really demonstrate the clear value of a security program.

Security people should keep track of proactive fixes and calculate value saved.  If your marketing department nearly sent out a virus laden PDF, can you estimate what that would have cost the company?  Value demonstrated.  If a computer worm affects other companies but not you, can you trace back to why you were unscathed, and if its not just a lucky dodge, you can point to it as value demonstrated.  Every time someone deletes a file and you’re able to recover it with FTK, that’s value.  And it adds up.

While hard metrics like firewall alerts and phishing rejection are nice, they usually are only good for incremental improvements, and are likely to be marginalized because “everyone” does that.  So your program is nothing special.

Whereas if you’re providing security input on a $3M project and suffer no security lapses, that’s personal to at least one manager, and probably meaningful to all of upper management.  They know how much a delay in that project would cost, if they’re doing project management.  That delay you didn’t have to take should be put in the security win column.  You did your job and carried the project without any glitches.  That’s value, perceived, measured, and quantifiable.

Meanwhile, normal security metrics, like password complexity, lock outs, alerts, and blocked access how a steady foundational reward.  But management doesn’t really see those, so despite being concrete, they appear abstract and fuzzy.  Far more real are the items like smooth deployments of non-security services and products that have a security component.

If you have a DDOS attack and thanks to your preparations, the Internet remains open fro business, that’s demonstrated value.  Any business that relies on the Internet knows how much disruption costs.  That difference is a benefit of the security program and should be acknowledged as such.

Usually nobody’s going to blow your horn for you, though, so you need to keep track of these things and get the word out.  In every company newsletter place a brief summary of what’s gone on and how much it saved the company.

At the end of the year, you can quantify the entire period and compare that to the expense of running the program.  If the program is still a cost center and not a profit center, you’re probably doing something wrong.

Stay away from fuzzy representation, like value, if you don’t have hard numbers to back up the claim.  Brand reputation is a very real resource, but without actual measurable damage, and some sort of benchmark, it’s going to look soft.  If you can show a similar incident had a specific effect, and that translates to your situation, it is possible to use it, but usually not.

Occasionally, you’ll be able to use a security program as a cost savings indicator, but most of them will not work well.  This is because security is the only department with contact with the security device/application.  If management as a whole doesn’t feel the direct benefit, the success loses value.  If a new security device/process streamlines an existing process, it can be argued that the first problem was security to begin with, so all that’s happened is a fix has been put in for  a problem, and that’s not value add, that’s value recovered.  Increased efficiency is a soft win.  List it, but don’t count on it getting you a bonus.

Imagine some of the possibilities:

  • You’re data loss prevention program catches the secret formula for your key product leaving for a competitor.
  • Neubot.war worm takes down half the Internet, and you are unscathed because of white-listing run-time applications.
  • A hostile employee tries to sabotage the plant chemistry mix, but can’t because provisioning denied access.

Fighting for ROI using metrics is an uphill battle, but demonstrating value using particular high profile incidents like these makes it much easier, but you have to watch for them.

Do use standard business practices and ROI for budgetary purposes, but its the risk management program that will contribute most to finding new ways to demonstrate value, because it is proactive and not responsive.  If they beneficial system/process isn’t in place prior to the incident, any benefit derived is simply soft response value, and not the hard value that clearly shows value.

Glad to see BYOD taking off…

Bring your own device (BYOD) is a breaking concept whereby corporations allow/require employees to supply their own computing and communications platform (laptop/phone).  It is colossally stupid and that is well documented elsewhere, but for us, it is worse than just having to preserve a different device, because BYOD introduces other parties with additional risk.

When we contract for normal corporate ePreservation services, we engage with a client and have one contract, one privacy agreement, one potential liability.

By permitting employees to use their personal devices, BYOD increases the likelihood that we’re going to have to take personal phone/laptops as part of an evidence preservation effort, and employees aren’t going to like us having access to their personal stuff on those devices.  We wouldn’t want our stuff given to someone else, which is why we strongly recommend clients NOT permit the use of personal devices for corporate business other than phone calls.  We can, after all, get those records from the phone company.  Texting as well, but it’s a slippery slope, until we’re looking at the pictures you sent your friends last New Years Eve.

What’s worse for us, however, is the potential for 3rd party lawsuits.  Your employee whose phone we take to image can potentially hold us liable for harm to the phone, themselves, or their reputation (ask a lawyer for the definitive list).  How could that happen?  The simplest case involves them having personally embarrassing photo’s on the phone and us losing control of it.  It could happen.  They can probably sue us for damages at that point.  And the employer.

Even with a solid employee/company BYOD agreement  in place, no such agreement exists between them and our company.  Even if our contract can serve as a vehicle to transfer responsibility, it’s still a nasty business that could go either way depending on the forum.

Another example is a picture of a 4th party on the phone of the employee.  Regardless of the employee’s ability to sue, the 4th party might be able to establish liability against all three other parties, quite reasonably.  Ask a lawyer to explain it if you’re interested, we only know enough to know there’s potentially a lot of new problems with BYOD.

And that means new insurance, new procedures, and new billing codes.  Yes, while you corporate types are calculating your bonus based on switching to BYOD, we’re looking at our bottom line as well, which means we’ll be charging you different rates for BYOD items.  Which will undoubtedly not make it into the spreadsheets that show how big a bonus you deserve for implementing it.

Go ahead and BYOD, we’re ready to bill you for it.