The Limits of IT Security

By Jason Taylor

(Back to article)

There isn't a security threat that you can think of that some security company's marketing literature doesn't promise a solution for. But despite the zeal of marketers there are still some threats to enterprise information technology that the industry is just beginning to address.

Take the recent phishing phenomenon for example. The premise here is pretty simple: send an email to a user and lie about where you're sending it from (a bank is always good), tell them they have to urgently log into their account, provide a legitimate looking web link to click on in the message body and then steal their account info as they enter it onto an authentic-looking web page. There are a few technology issues here.

The first is that many of the standard email protocols allow one to lie pretty easily about where a message is coming from. This is not a flaw, but a design choice made long ago in a time when the "network" consisted of a few computers connected to each other at institutions that trusted each other.

The second problem is that the average user doesn't know if they're at the legitimate banking site or not; it all looks like one big, complicated URL. These are issues that are difficult to fix with a security "add-on" because they are ingrained into the core architecture of the Internet.

Attacks like phishing are just a relatively new manifestation of the number one problem that has plagued IT security: user trust.

Problem Awareness

By nature, if one isn't aware that someone can lie to them through a technology, then that technology is trusted. When you aren't aware of how simple it is to make technology do bad things -- or even aware that it's possible -- it seems pretty logical to login to your online banking account if your bank sends you an urgent message.

The problem goes beyond technology though.

Security awareness in companies can be fairly low, and attackers understand and exploit that. If someone really wanted to penetrate an organization for example, they might first try and call up an employee on the phone, pretend to be from the IT department and just that employee to "confirm" their login name and password.

If one were really desperate, they may tailgate an employee into the building and then look for an empty office with the notorious yellow sticky-note on the monitor with that person's current password written on it.

With these threats in mind, the battlefield is broader than network security. In fact network security must be thought of as just the first layer of defense: a barrier that makes it more difficult for an attacker to get at your assets, but that cannot be depended upon alone.

It is crucial to build a defense-in-depth (technology, procedure and education) which provides a set of interlocking mechanisms to keep attackers out and company assets in.

Even the simple idea of keeping the attacker out is now antiquated as the majority of successful attacks are conducted by insiders who are already past the defensive perimeter of network security.

Once inside the attacker invariably has a rich selection of applications to target each with their own set of security weaknesses and vulnerabilities.

No Silver Bullet

It is clear that there is no technology or product that can act as a quick-fix, removing all of the security exposures a company may have. As much as we may wish otherwise, there is no silver bullet.

With that understanding it's important to develop a plan that will address the unique security concerns, and tradeoffs, that your company has. The steps to creating a plan that will work for your company are straightforward, if not always simple in practice.

First make a list of all the assets you wish to protect. Categorize them from most sensitive to least. Those at the top of the list will require the most protection, while those at the bottom may require very little.

Usually three or four categories of sensitivity will be enough and will ease the rest of the planning. Keep in mind as you do this that threats often exist in places where you least expect them -- even places where you have already deployed a security "solution" such as a deep packet scanning firewall.

Next create a threat model for each of the assets. The model should be designed to answer the following questions:

  • What is the damage that can be done to the asset?
  • What are the avenues of attack that can be used to get at the asset?
  • What conditions would have to be in place for an attack to be successful?
  • The format of the threat model is not as important as the content. If you can clearly answer the above questions for each asset you've listed then the threat model will be a success.

    Once you've listed the threats you can begin to think of mitigations for each. Generally the mitigations will describe a way to thwart an attack by taking away some or all of the requirements necessary for the attack to succeed.

    Assessing Protection

    The mitigations you choose to take will be based upon the risk of the asset being compromised versus the cost of performing the mitigation. For instance you may spare little expense in protecting your customer's private information but wouldn't spend nearly as much effort protecting an intranet site devoted to your annual company party!

    This is where the asset sensitivity categorizations come in handy. By analyzing the set of potential mitigations as well as the types of asset you want to protect you should be able to build a set of policies for each asset category.

    When new assets come online you merely assign them to a sensitivity category and apply the pre-built policy. A policy could include cryptography standards, database configurations, penetration testing schedules, vulnerability and virus scan procedures and more.

    In the course of building your security plan you'll see first-hand that common network security techniques won't be enough. As good as firewalls and intrusion detection systems (IDS) are, they cannot cover all of the bases.

    A true defense-in-depth will require not only a strong perimeter but also a focus on the internally and externally focused applications your company uses and an education program to teach your staff secure computing principles.

    Continued reliance on network security alone will result in a false sense of security and a guarantee of successful attacks on your enterprise. A well rounded security plan that covers all the angles will minimize your risk and ensure your security dollars are spent protecting your assets as effectively as possible.

    Jason Taylor is vice president of Development Services at Security Innovation. Taylor performs development consultations, custom development work, and white-box penetration testing services for Security Innovation's Fortune 1000 customer base.

    Herbert H. Thompson is director of Security Technology and Research at Security Innovation. Thompson trains software developers and testers at the world's largest software companies on security techniques.