Note: this article may have first appeared in ComputerWorld, written by Joshua Corman himself in Jan 2009. I’m not sure why most of it is taken almost word-for-word and reposted (with 1 new dirty secret) these 8 months later…
Bill Brenner has a piece on Joshua Corman’s 8 dirty secrets of the it security industry. I thought I’d weigh in with some thoughts while sharing the article.
Dirty Secret 1: Vendors don’t need to be ahead of the threat, just the buyer
Individual people may reach levels of financial satisfaction and turn their attention to actually making a difference (see Jerry Maguire), but almost any group of people forming an ephemeral organization will ultimately see that organization driven by dollar signs. The more so if they are a public company. Sadly, that’s how it is. Although I think that is a tangential point to this “dirty secret.”
I’ve rewritten my paragraph about vendor-buyer expectations and relationships about 4 times now, and I keep arguing basically both sides of the coin. So I’m just going to leave it be. 🙂
Dirty Secret 2: AV certification omissions
I truly do understand this criticism. I don’t necessarily have to agree with it, but I do understand that some people think this, and that’s fine with me. To me, this might come down to what you expect your AV-type products to do. Do you expect them to catch everything, or do you expect them to be fallible, but catch most things you’re likely to care about? Or at least add some value to your overall layered security posture. So, yes, I understand we can still push our AV vendors to detect more, but I understand we may take that unrealistically too far.
Dirty Secret 3: There is no perimeter
Ugh. It’s still so freakin’ trendy to say there is no perimeter. What I love are the next two lines, “That’s not to say there is no perimeter. It’s just that companies are foggy on what the perimeter truly is…” At any rate, that’s accurate to say that our perimeter has changed dramatically in 15 years, but there is still a perimeter. Do you have a scope for PCI? There’s a perimeter. Do you have different networks with dissimilar trust levels? There’s a perimeter. Maybe we get tripped up on the connotation of a perimeter being an *outer* boundary rather than an internal boundary as well. I dunno, but the point holds up: define the perimeter, and make sure you’re not just thinking security on the outer boundary is enough.
Dirty Secret 4: Risk management threatens vendors
I think this stems from how amazingly different businesses are and how amazingly different their IT environments are. If a vendor can set your risk levels for you, they will drop their product in and pocket your money. But if you have your own levels set, chances are they can’t perfectly match up to you. They may try, but theny you end up buying products with so many goddamned features built to satisfy all the goddamned risk levels of their desired clients… Yeah, you know what I meant.
But, on the flip side, risk management might be a benefit in some cases where a product nicely matches a portion of the risk levels a business wants to address, rather than a “well, it’s good enough for now” attitude.
Dirty Secret 5: There is more to risk than weak software
The secret itself is not really arguable, but the statement that, “the latter two [weak configurations and people] are far more dangerous risks than the big bad software security flaw of the week,” is actually an arguable point. It might be argued that even most software flaws stem from weak configs or people. Or one might say many of the damaging attacks these days are software flaws, or potentially could be if someone isn’t patching diligently (let me point you to Metasploit as an example of the power to r00t via software flaws). The point is good, however, that there is more to risk than just software flaws.
Dirty Secret 6: Compliance threatens security
I think we’ve all gotten on the same page about compliance these days: compliance raises the bottom line (the lowest common denominator), but is not itself necessarily “security.” It raises awareness and starts to set the stage for actual security value.
Dirty Secret 7: Vendor blind spots allowed for Storm
I both like and dislike this item. It’s very specific to Storm as an example and has a tone that beats on AV some more. But is the problem an AV one or an OS one? I’m not sure. What I can probaly say is complexity and people are the big issues here. More complex? More cracks for things like Storm to slip into and hide.
Dirty Secret 8: Security has grown well past “do it yourself”
This is easily the most confusing item in this list. I believe there is still a lot of do-it-yourself involved in security, but I think most of that is about talented staff leading the drive, as opposed to doing something like maintaining your spam blacklist yourself.
“Storm” is a good example of the hype created by security companies to sell their products. Back when it broke I’ve been a virus researcher for more than a year.
The thing that struck me is how everybody (starting with the security companies and taken up by the press, who believe everything like little children) proclaimed that it was something new and terrifying. In fact it was a “natural” evolution of a more older family called “Tibs”. If you disassemble the samples in the order of the appearing, you can clearly see common attributes (like simple XOR encryption of string, then using a different key for each string, then using APIs to detect emulators, then using the return values of the API calls for decryption / using MMX/SSE opcodes) trough all of them.
Bottom line: don’t believe everything you read, even if it is said by “experts”
That’s an awesome point, thank you!