Title: Why Security Architectures Fail
1Why Security Architectures Fail
2Internet Age Why Security Architectures Fail
Pierre NoelCEO - ICSA.net Asia Pacific
3Agenda
- Introduction
- eCommerce Survey
- Todays Security
- Enterprise Security with an Internet Approach
- Looking in the past
- Security Evolution
- Requirements
- Conclusion
4Introduction
- The Black Hat Briefings is a pool of expertise
when dealing with technical Internet Security
Issues - The purpose of this presentation is to provide an
operational feedback to the way Internet Security
has been often dealt with
5Introduction
- Food for thoughts
- Sharing from our companys experience in dealing
with customers IT security - Distance and Strategic Thinking
- Give elements to enable IS managers to take some
distance to the problems, and analyze the
situation from a different angle
6How is Internet Security Perceived?
7Survey - 1998
- In a 1998 CommerceNet Survey on the barriers and
inhibitors to eCommerce four out of the five
most important inhibitors were security-related - Need for Privacy Protection
- Integrity of Data
- Authentication
- Legal Framework
8Survey - 1999
- These Security-related inhibitors have been
pushed back to rank 20 to 50 - Should we infer that security is no longer an
inhibitor to eCommerce? - Does that mean that solutions have been found to
overcome these security inhibitors?
9The Reality behind the Survey
- Reality 1 - In Business-Oriented organizations,
Business comes First, Security comes Second - Security solutions have not been found, its just
that these companies could not wait any longer! - Reality 2 - Many companies took the excuse of
security as a façade to mask an inability to
adapt their Business to eCommerce
10The Need For A New Approach To Web Security
11Todays Corporate Security Worse Than Expected
ICSA Vulnerability Study May 1999
Over 70 of sites with firewalls still
vulnerable to known attacks Over 60 of sites
susceptible to denial of service attacks Over
80 don't know what's on their network
visible over the Internet Over 80 have
insufficient or inadequate security policies
12Internet Security is Weak and Breaches are Costly
- 256,000 average loss for security breaches
during 1998 - 28 new high priority security vulnerabilities
logged and distributed each month by ICSA Labs - 200-300 new viruses released each month with
about 5 making it to the wildlist - 93 mil. estimated cost of the Melissa virus to
U.S. businesses
13Why Are Companies So Vulnerable?
- Most companies...
- Have a multi-vendor, heterogeneous network
environment - Have security vulnerabilities in many areas
- Have problems keeping up with the knowledge
required to maintain a good secure environment - Are interfacing with vendors/partners/customers
in ways that were not previously possible - Have a limited ability to effectively manage
security
14Companies handling of Internet Security
- Security is not well understood or easy to
manage. - Threats change every day
- Technology changes every day
- Organizations are scrambling to find expertise.
Enterprises skill levels are lagging. They
require much more hand holding than ever before.
15Technology Inhibitors to eBusiness Deployment
- Security concerns often delay the implementation
of Internet-based technologies - Risks are difficult to quantify
- Liability seems too high
Information overload inhibits decisions and
actions
16Security Needs anInternet Approach
17Inadequacy of Solutions
- The solutions put in place by enterprises to
minimize their security exposure are often
missing the point - The Product-Solves-it-all problem
- Too much investment in technology, too little in
support and education - Inadequacy of the solution and false confidence
feeling
18The Great Wall
19The Great Wall
- Are Analogies too Simplistic?
- Threats
- Multiple Barbarians Invasions from the North
- Solution
- To erect a wall to prevent invasions by
horse-ridden Invaders - Validity
- Very valid
- as long as
20The Great Wall
- as long as nobody came up with a better idea,
such as - In History, the invention, design and utilization
of a plane to fly over the Great Wall was a
process that could have taken Centuries - ...Giving plenty of time for the defenders to
assess the new nature of threats and provide a
counter-solution - Such as putting Canon Guns on top of the Wall.
- Long-lasting defense strategies
- Designed by the strategists, the army general etc
21The Great Wall at Internet Speed
- With the Internet comes the Internet Speed
- Things change. Threats evolve at a fantastic pace
- A Solution Today
- Can never be total
- Dont waste your time, you dont have too much of
it - Can never be frozen
- Adaptable and Manageable
22Looking behindThe Maginot Line
23The Maginot Line
France 1929, under the leadership of André
Maginot - the then Minister of War - started the
greatest construction work in Europe, designed to
protect France against possible invasion from
Germany. This was to be a permanent mark in the
pages of history which would secure France from
any further wars. This line certainly became a
permanent mark in history. But merely as an
unsuccessful oddity, a useless line that was to
be passed-by. It is not right to judge the whole
original plan, it simply was much too ambitious
and everyone expected too much from it. After all
the money was spent there was no more funds for
building fortresses along the Belgian border, and
the French military leaders held firm in their
belief of the impenetrability of the Ardennes
Forest. In 1940 the Germans took advantage and
actually came through theForest bypassing the
Maginot Line.
24A Point-Answer to a Point-Problem
- The Maginot Line was conceptually a superb
element of defense against invasions - What it built was merely self-confidence on the
defending-side - The project was so ambitious that it never got
fully terminated - The Germans didnt even bother attacking the
place, this was not needed - Typical case of a security architecture that
politely request the assailants to do exactly
what they are told
25Whats fundamentally Wrong
- Maginot Line leading to Security Architectures
- Are a point-answer to a point-problem
- Usually assume a long process to providing a
stable enabling -infrastructure - The goals and blueprints are almost never met
- even when met, they dont fulfill the goal
- Security Architectures have a goal to provide
100 security - Static in nature, it is inadequate for protecting
against Internet Security threats
26Internet Security Threats
- Not necessarily motivated by standard financial
considerations - Internet attacks are not necessarily intended
against the valuable assets. Standard Risk
Assessments dont apply - Paradigm-Shift
- From an eCommerce perspective, we cant simply
block the user from accessing the data - Ever Changing nature
- How many new types of attacks from the Internet
during the past 24 months?
27Internet Security in its Dynamic Nature
28Security Evolution _at_ Internet Time
29Security Evolution - Adaptive Protection
30Security Evolution - Static Protection
31So
- Rather than to focus on bringing a theoretically
flawless security architecture - which does not
exist - it is more important to focus on - A continuously adapting solution (to dynamically
adjust to new threats) - Invest in the education and ensure the focus of
the operating team - Find a feed to be kept current
32Whats Required
- Focus Knowledge
- Its a three-dimensional Chess Game, where the
whites are allowed to invent new weapons. - Awareness
- You are Programming Satans Computer Ross
Anderson
33Conclusions
- The Need for reducing the Internets Security
Exposure is evident - Not at any cost though
- Static or Frozen Solutions, of any kind, are to
be avoided - More than revolutionary ideas, pragmatism,
awareness and a unalterable focus deliver
34Pierre NoelCEO - ICSA.net Asia Pacific