AKA: 10 years of FAIL!
As it gets closer to the end of the year, you can’t help but despair at the seemingly un-ending flow of prediction posts. Heck even I threw one up on the blog (although more of a joke than anything else). Everyone (not just those trapped in the InfoSec echo chamber) seem obsessed with the next big thing, the year to come and what the future holds. I can see the attraction… looking back at all the mistakes we’ve made is never a nice thing.
I’m willing to bet that most people reading this think things have changed a lot in the last 10 years. We’ve got web 2.0 and things are more complex than ever! I thought the same, until I stumbled on a little bit of history while cleaning out the bookshelves. If you’re as old as me you probably remember those “Top Internet Website Guides” from years gone by. Before the almighty Google took search engines to a new level, people actually had books listing interesting websites. It was just such a book that caught my eye, and I couldn’t resist looking through it to see what the World Wide Web looked like back in 2001.
Websites come and go… they fall from favour and in the blink of an eye they’re gone from the world… some however stand the test of time and surprisingly enough, look pretty much the same now as they did back in 2001. Timeless design? Simple to use interface? or just a little bit of proof that not much changes in 10 years, even on the Internet!
This slideshow requires JavaScript.
Look familiar? I’m pretty sure it wasn’t that long ago that Apple.com was still using the same design! Still, that’s all fun and good, but this is an InfoSec blog, so let’s get to the point.
This trip down memory lane got me thinking… what was the landscape like back in 2001. What were the threats, the vulnerabilities and the issue we hoped to fix. What were the predictions and promises we made back in 2002?
Just looking through the schedules for Blackhat (US | EU) and DefCon for 2001 shows just how far we’ve come and how little we’ve actually achieved! 10 years on and the things that we’ve fought against are still the things that we’re fighting against today.
Just to pull a few examples from those schedules .:
One-Way SQL Hacking: Futility of Firewalls in Web Hacking (JD Glaser & Saumil Udayan Shah)
WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)
Hackproofing Lotus Domino (David Litchfield)
Web Vulnerably & SQL Injection Countermeasures (1-2) (Tim Mullen)
GSM / WAP / SMS Security (Job de Haas)
Hacktavism Panel (cDc)
OS/X and Macintosh Security (Freaky)
Scary isn’t it! I’d love to see the reaction people would give if these talks were listed in a conference this year. I’m not sure about you, but I’d think it was a pretty good lineup and relevant to our current issues.
Whats the moral of this story… simple really. We’re failing. You’re failing, I’m failing, and everybody who thinks they’re not is deluding themselves. We’re stuck in this constant InfoSec circle-jerk where we each tell the next how much better things are and how we’re making the world a better, safer place. In reality all we’ve achieved in the last 10+ years is to form an industry around InfoSec that helps to maintain the status quo. We’ve built this virtual altar were we pray at the feet of so-called InfoSec rockstars. The people who we look to, to make things better for us. Well, sorry to say, but Dan Kaminsky isn’t going to come down your chimney this Christmas and leave you a shiny black box that solves all your APT woes! Although, I for one think it would make a cool movie plot! Jeremiah Grossman isn’t going to wave a magic wand and make your SQL injection vulnerabilities disappear in a puff of magical pink smoke… although, it would make a funny clip for next years DefCon (hint, hint)
The more things change, the more they stay the same!
Right about now you’re probably laughing, shouting or just saying to yourself “well he’s just pointing out the problems we already know about… where are the answers loudmouth!”. I don’t blame you, I’d be saying the same thing.
So, what would I do?
Well, in my VERY uneducated opinion these are the things I’d do to make a start in getting to security utopia.
Back to basics
No point in wasting that €75,000 on an all singing, all dancing WAF solution.
What do you expect that WAF to protect? Get to the REAL problem. Train your developers, implement (or begin to implement) an SDLC / process to ensure secure code is put on the web, not Friday afternoon code!
Invest in some basic code analysis… even if that’s just grep and some regex. Start small, and focus on the biggest issues. No point in spending all your budget on a single XSS flaw, when your site is riddled with SQL Injection bugs.
Hardening
Is this a lost art form?
Your WAF / IDS / IPS / Firewall / Black Box with blinky lights, is not going to stop everything. Hardening a system was always the FIRST thing people did before unleashing it on the Interwebz. How about we don’t forget that, and actually spend some time coming up with secure base images for systems!
Hardening goes beyond the external… make sure that when an attacker gets onto your box, and yes the WILL, that they’re tools are useless. Remove netcat, remove GCC and the Linux headers, chroot everything. None of these is a foolproof solution, but make them fight for every inch, and just maybe you won’t be on the front-page of every major newspaper the world over.
Balance
I’ve already posted my thoughts on relying on vendors for everything, and I stick by that. It’s important to have a balance between technology, process and the trained staff to run things. Too much of one or the other and your doomed to failure.
The black box with blinky lights needs somebody to monitor it, tune it, and manage it. If that’s not part of your budget (along with appropriate training and testing time) then what do you expect to gain from buying it. It’s an all or nothing package, and saying “we’ll train on the job” is the first step towards the cliff.
Know your systems, know your company
It’s a sad day when a company gets hacked through a system they didn’t even know they had! Just look at the Sun newspaper. Hacked through old outdated websites they probably didn’t even know still existed anymore. You think you know your network? Go and double-check, because there’s a server somewhere you never know you had!
Security isn’t all about systems… it’s about protecting the business. Most InfoSec professionals however, have almost zero knowledge about what information is valuable to the company. How can you protect something you don’t even know exists. You can’t stop every attack, and trying is a fool’s errand. Knowing where your crown jewels are stored allows you to protect what you know is important, while trying to keep everything else as safe as it can be!
Well that’s it… I don’t think I have a magic pill for the world… but I’d rather accept that we’re part of the problem and start looking to solve it, then just close my eyes and hope for InfoSec Santa to bring me a new Firewall!
Merry Christmas… let’s make it a happy new year!
Cатсн²² (in)sесuяitу / ChrisJohnRiley 
This response isn’t trying to shirk any responsibility, because the infosec industry at large is part of the problem, there’s no doubt about that. However, it’s not that we’re failing, it’s that we’re trying to solve unsolvable problems. Realizing this drastically changes your strategy in an extremely positive way. This game then becomes less about wastefully attempting to prevent the inevitable and more about assisting the business *manage risk* incurred by the integration of information systems into the operation. You’re exactly right – we do need to get back to the basics. We need to realize that we already have the tools we need to do our jobs, we just have to buckle down and use them. Cheers!
“Know your systems, know your company” – probably the best advice here.
More often than not, organizations FAIL at realizing the home advantage, and are just spreading their legs to attackers (with WAFs, AVs, Firewalls, and other crap that doesn’t work).
Absolutely no thinking, no planning, and no strategy in their defense. FIXIT!
Personally I think we should be looking at the big picture and going for the big/easy wins. It’s far too easy to make mistakes, we need to turn this around and make it difficult to make mistakes. Crude example: When babies learn to walk, they fall a lot. As parents if we allow the baby to walk on a marble floor we’re asking for trouble and being irresponsible. If, however, we carpet the floor and cushion the room, even if the baby falls, there is little damage done. I think the big players, the enablers, the vendors, the developers, etc, need to take a lot more responsibility and start ‘cushioning’ their products. Start at the top and work our way down. A good example of a company ‘cushioning’ their products is Browsers with built in XSS filters. An example of a company not ‘cushioning’ their products would be MySQL, why do we have to have a ‘clean up’ script (mysql_secure_installation) after installation, this should be done within the installation. I think what I am trying to say is lets pressure the big players to implement the basics, security by default, defense in depth, $some_other_buzz_word and hopefully others will follow suit.