MI-80

“Covering your ass”: we've all done it. Unfortunately while most learn to eventually take responsibility for their actions the IT industry, and especially the security industry, still believe firmly in just that – solutions which don't enhance security, but limit liability. CYA isn't something new, but a recent essay [1] by renowned author, cryptographer, and security expert Bruce Schneier has brought CYA security into a new limelight in recent discussions throughout the industry. But while Schneier's article talks about security in general, its main focus is on physical security. IT security tends to be fairly isolated from the security industry as a whole, so this essay explores why CYA security is so ineffective within the digital realm including first hand examples. A few months ago an insurance provider contacted us for a vulnerability assessment. It wasn't anything in depth, just a heavily automated rundown of a handful of servers and routers looking for any glaring issues. During this scan two machines of interest were located, an old NetWare box which they didn't even realize was still online, and an embedded UNIX appliance which hadn't been upgraded in over six years. Suffice to say both were in pretty poor shape security wise. A full report was prepared detailing not just the holes and what they offered attackers, but a step by step walk-through for fixing the issues. The customer asked those two units be omitted from the final report (which was to be presented to upper management). Now this is far from unusual. Following discussions in penetration tester mailing lists presents this scenario as an almost daily event. However this begs the question if the issues located won't be fixed, what's the point of even hiring someone for a vulnerability assessment? Sadly it's an incredibly simple answer: if something should happen they can say “but company X said we were safe” and pass the blame to us. It's CYA security at its finest. The list goes on and on. A financial institution a few months back decided to open terminal services directly between two sites because it was easier for them than learning how to use a VPN, and we even have one client who bought a very high end firewall purely to fulfill the contractual obligations of their customers who demanded they “have” a modern intrusion prevention system. The unit was purchased well over a year ago but never installed. Their contract was fulfilled to the letter, but are their clients any safer? Unfortunately much of the security industry works this way. Management looks at IT overall as a critical business infrastructure, but when every thing's running alright they have little reason to increase budgets or follow recommendations of IT staff to enhance the overall setup. This goes double for security professionals. After all security alone isn't even a critical infrastructure, it's simply viewed as limiting a liability – and that's how it's treated. If $5,000 blocks 90% of attacks, and it costs another $10,000 to block another 5% of attacks, many organizations will only spend the first $5,000. They view security as having financially diminishing returns, which in all actuality it does. But is that how it's going to be explained to customers when their private information is compromised by someone smart enough to take advantage of that unprotected 10%? At the core it's difficult for a security staff to justify their costs. The current setup worked all last year and all this year, so why change anything for next year? Certainly one of the most frustrating parts of any IT managers job is explaining to the bean counters why new systems are required, or why overhauls and upgrades are necessary just to continue doing the job currently being achieved. On top that security doesn't provide anything tangible as a result. The network doesn't run faster or easier, and higher ups don't get any noticeable benefit except for what isn't there: attacks. This puts security in a very uncomfortable place for most organizations when budgeting comes around. Scapegoating and overreactions are also far too common when the inevitable happens. Entire staffs have been let go even though they petitioned months before to replace their aging solutions to fix the hole that eventually got them canned. Hardly fair in a perfect world, but that's when CYA security comes into play. The management can pin the blame on IT if something goes wrong, so security staffs focus less about IT security more on job security. They look for solutions to problems that hit the nightly news. They focus more on stopping spam from reaching their bosses inbox than they do on locking down their website code because it's something the boss notices on a daily basis. This paradox keeps much of the industry looking backwards. After a big attack comes, the worm outbreaks from a few years back being a classic example, everyone scrambles to fix the problem. New attack avenues aren't even considered, nor are classes of attacks, developing an environment of constantly patching pinholes over fixing the root threat they all come from. Instead of fixing something like an insecure operating system it's more and more common to progress on the treadmill of never-ending patches and hope something with a buzzword like “unified threat management” will be the silver bullet to stop all future attacks. This means that the next wave of threats is all but ignored. Organizations are still struggling with good password policies, and are just sorting out malware solutions much less looking at the huge uptake in web based vulnerabilities over the past year, or the breakthroughs in cracking hashing and encryption algorithms that have happened recently. But like worms brought about major desktop firewall usage and poorly designed web servers brought about wide deployments of IDS/IPS engines this would change as soon as a major threat spread far enough. Unfortunately the hacker underground has a historic low of curious teenagers and more organized criminals interested less in causing havoc and more in targeted attacks including industrial espionage and turning tens of millions of personal computers into spam relays that didn't cost them a thing. Harming the situation further is the fact that most businesses only look at a few large brand names when shopping for IT gear if for no other reason than no one ever got fired for buying the standard at the time. Just as there was once a time when “no one every got fired for recommending IBM,” despite historically insecure software, IT departments around the world recommend Microsoft knowing that when the inevitable security problem arises it's accepted as normal. If they recommended something management didn't know, like Linux, and a security problem arose, guess who'd be held responsible? As sad as it is CYA security makes perfect sense from this perspective. It might be less secure, but why wager a career on saying so? As Schneier correlates with the physical realm, IT departments are rarely incompetent or lazy. But just as stated in his essay, it happens because there is not sufficient “oversight, planning, and coordination.” Just like in the essays physical world description, people can't be expected to put everyone else's security above theirs and what they're responsible for, it just isn't realistic. Security professionals will often do the best they can with what they have, but their priorities are shaped by the matters discussed above, and their limitations are great. “They're all going to respond to the particular incentives imposed from above” couldn't be truer. And as long as non-security personnel have this effect, be it management demanding to have unfiltered Net access or the rest of the staff groaning when there's downtime for patching, security holes will proliferate. Luckily unlike the negative note Schneier's essay ends on, our outlook is better. Widespread adoption of more secure alternatives such as Apache and Linux are helping the situation, and forcing Microsoft to drastically overhaul Windows with security in mind. The average computer these days has a firewall, and affordable appliances (and free software) are advancing to become much more than simple firewalls, now including intrusion prevention, anti-spyware, anti-virus, and many other previously enterprise only technologies. In the end however it still comes down to two basic principles; "the basics" and layering. The basics includes stuff we've all been preaching for decades: strong password policies, the turning off of unneeded services, regular patching, and user education. Layering is simple but all too commonly forgotten: patch every server, workstation, and appliance. Run firewalls not just at the perimeter, but on each individual machine. These simple methodologies will help even the most CYA centric IT department stop all but the most determined attackers. And these inexpensive solutions help with the problem Schneier ends on: “...like so many things, security follows the money.” ----- 1. http://www.schneier.com/blog/archives/2007/02/cya_security_1.html