Why Security Architectures Fail

1
Why Security Architectures Fail
2
Internet Age Why Security Architectures Fail
Pierre NoelCEO - ICSA.net Asia Pacific
3
Agenda

• Introduction
• eCommerce Survey
• Todays Security
• Enterprise Security with an Internet Approach
• Looking in the past
• Security Evolution
• Requirements
• Conclusion

4
Introduction

• The Black Hat Briefings is a pool of expertise
  when dealing with technical Internet Security
  Issues
• The purpose of this presentation is to provide an
  operational feedback to the way Internet Security
  has been often dealt with

5
Introduction

• Food for thoughts
• Sharing from our companys experience in dealing
  with customers IT security
• Distance and Strategic Thinking
• Give elements to enable IS managers to take some
  distance to the problems, and analyze the
  situation from a different angle

6
How is Internet Security Perceived?
7
Survey - 1998

• In a 1998 CommerceNet Survey on the barriers and
  inhibitors to eCommerce four out of the five
  most important inhibitors were security-related
• Need for Privacy Protection
• Integrity of Data
• Authentication
• Legal Framework

8
Survey - 1999

• These Security-related inhibitors have been
  pushed back to rank 20 to 50
• Should we infer that security is no longer an
  inhibitor to eCommerce?
• Does that mean that solutions have been found to
  overcome these security inhibitors?

9
The Reality behind the Survey

• Reality 1 - In Business-Oriented organizations,
  Business comes First, Security comes Second
• Security solutions have not been found, its just
  that these companies could not wait any longer!
• Reality 2 - Many companies took the excuse of
  security as a façade to mask an inability to
  adapt their Business to eCommerce

10
The Need For A New Approach To Web Security
11
Todays Corporate Security Worse Than Expected
ICSA Vulnerability Study May 1999
Over 70 of sites with firewalls still
vulnerable to known attacks Over 60 of sites
susceptible to denial of service attacks Over
80 don't know what's on their network
visible over the Internet Over 80 have
insufficient or inadequate security policies
12
Internet Security is Weak and Breaches are Costly

• 256,000 average loss for security breaches
  during 1998
• 28 new high priority security vulnerabilities
  logged and distributed each month by ICSA Labs
• 200-300 new viruses released each month with
  about 5 making it to the wildlist
• 93 mil. estimated cost of the Melissa virus to
  U.S. businesses

13
Why Are Companies So Vulnerable?

• Most companies...
• Have a multi-vendor, heterogeneous network
  environment
• Have security vulnerabilities in many areas
• Have problems keeping up with the knowledge
  required to maintain a good secure environment
• Are interfacing with vendors/partners/customers
  in ways that were not previously possible
• Have a limited ability to effectively manage
  security

14
Companies handling of Internet Security

• Security is not well understood or easy to
  manage.
• Threats change every day
• Technology changes every day
• Organizations are scrambling to find expertise.

Enterprises skill levels are lagging. They
require much more hand holding than ever before.
15
Technology Inhibitors to eBusiness Deployment

• Security concerns often delay the implementation
  of Internet-based technologies
• Risks are difficult to quantify
• Liability seems too high

Information overload inhibits decisions and
actions
16
Security Needs anInternet Approach
17
Inadequacy of Solutions

• The solutions put in place by enterprises to
  minimize their security exposure are often
  missing the point
• The Product-Solves-it-all problem
• Too much investment in technology, too little in
  support and education
• Inadequacy of the solution and false confidence
  feeling

18
The Great Wall
19
The Great Wall

• Are Analogies too Simplistic?
• Threats
• Multiple Barbarians Invasions from the North
• Solution
• To erect a wall to prevent invasions by
  horse-ridden Invaders
• Validity
• Very valid
• as long as

20
The Great Wall

• as long as nobody came up with a better idea,
  such as
• In History, the invention, design and utilization
  of a plane to fly over the Great Wall was a
  process that could have taken Centuries
• ...Giving plenty of time for the defenders to
  assess the new nature of threats and provide a
  counter-solution
• Such as putting Canon Guns on top of the Wall.
• Long-lasting defense strategies
• Designed by the strategists, the army general etc

21
The Great Wall at Internet Speed

• With the Internet comes the Internet Speed
• Things change. Threats evolve at a fantastic pace
• A Solution Today
• Can never be total
• Dont waste your time, you dont have too much of
  it
• Can never be frozen
• Adaptable and Manageable

22
Looking behindThe Maginot Line
23
The Maginot Line
France 1929, under the leadership of André
Maginot - the then Minister of War - started the
greatest construction work in Europe, designed to
protect France against possible invasion from
Germany. This was to be a permanent mark in the
pages of history which would secure France from
any further wars. This line certainly became a
permanent mark in history. But merely as an
unsuccessful oddity, a useless line that was to
be passed-by. It is not right to judge the whole
original plan, it simply was much too ambitious
and everyone expected too much from it. After all
the money was spent there was no more funds for
building fortresses along the Belgian border, and
the French military leaders held firm in their
belief of the impenetrability of the Ardennes
Forest. In 1940 the Germans took advantage and
actually came through theForest bypassing the
Maginot Line.
24
A Point-Answer to a Point-Problem

• The Maginot Line was conceptually a superb
  element of defense against invasions
• What it built was merely self-confidence on the
  defending-side
• The project was so ambitious that it never got
  fully terminated
• The Germans didnt even bother attacking the
  place, this was not needed
• Typical case of a security architecture that
  politely request the assailants to do exactly
  what they are told

25
Whats fundamentally Wrong

• Maginot Line leading to Security Architectures
• Are a point-answer to a point-problem
• Usually assume a long process to providing a
  stable enabling -infrastructure
• The goals and blueprints are almost never met
• even when met, they dont fulfill the goal
• Security Architectures have a goal to provide
  100 security
• Static in nature, it is inadequate for protecting
  against Internet Security threats

26
Internet Security Threats

• Not necessarily motivated by standard financial
  considerations
• Internet attacks are not necessarily intended
  against the valuable assets. Standard Risk
  Assessments dont apply
• Paradigm-Shift
• From an eCommerce perspective, we cant simply
  block the user from accessing the data
• Ever Changing nature
• How many new types of attacks from the Internet
  during the past 24 months?

27
Internet Security in its Dynamic Nature
28
Security Evolution _at_ Internet Time
29
Security Evolution - Adaptive Protection
30
Security Evolution - Static Protection
31
So

• Rather than to focus on bringing a theoretically
  flawless security architecture - which does not
  exist - it is more important to focus on
• A continuously adapting solution (to dynamically
  adjust to new threats)
• Invest in the education and ensure the focus of
  the operating team
• Find a feed to be kept current

32
Whats Required

• Focus Knowledge
• Its a three-dimensional Chess Game, where the
  whites are allowed to invent new weapons.
• Awareness
• You are Programming Satans Computer Ross
  Anderson

33
Conclusions

• The Need for reducing the Internets Security
  Exposure is evident
• Not at any cost though
• Static or Frozen Solutions, of any kind, are to
  be avoided
• More than revolutionary ideas, pragmatism,
  awareness and a unalterable focus deliver

34
Pierre NoelCEO - ICSA.net Asia Pacific