June 21, 2007

The Security that Fails

The one question I continually come back to in my thinking is, “why
does security fail?”

Sure, there are a multitude of foes where blame could be (and, in
some cases, should be) placed. Some are real, some are fantasy: faulty technology,
faulty policies and procedures, faulty awareness. Superior adversaries.

But, for me, such arguments are straw man fallacies. Colloquially,
they are just trimming branches. Let’s hack at the roots, shall we?

Dig it; the basic root of failure is that there is no security. Let’s
make that our mantra for today. Repeat after me: there is no security.

What? You mean that 1.5 million dollar budget you negotiated with
the CEO for is a waste? You mean the half a million in security technology already
spent was a mistake?

Well, no. That is not what I mean at all. Instead, what I am positing
is that the fundamental understanding and approach of why specific security postures
are erected and why specific security technologies are procured is flawed. The basic
point that is continually missedis the asset. Yes, the very things security
is supposed to secure.

Ask yourself this; did you invest in IPS because it secured a specific
asset (or, more optimistically, assets!) or because it was purported to detect and
defend against the hottest new attack vectors? Did you deploy enterprise HIPs because
your assets require that additional security layer at the host level or because you
were told that there are no none vulnerabilities in Product A? Did you implement that
PKI because you actually have confidential assets that require protection at rest
and in transit or because you read that even quantum computers won’t be able to crack
AES 256? Let me ask- did you really examine your assets during that Risk Assessment
with a reductivist mindset (i.e., reducing assets) or was that Risk Assessment just
a check mark on the regulatory spreadsheet?

Security fails because we implement it to solve pen-and-paper security
issues. Ghosts in the machine, so to say. Read Ray’s post about security trends and
the associated hype. There’s much substance there and I believe his points are related.
We are implementing technology that is in fact increasing our attack surface instead
of helping to reduce it. We are implementing infrastructure with no clear cut appreciation
of asset posture. We are asking security to chase down phantoms and then bemoaning
security when the results are not 100%. Well, what do you expect?

And let me be clear: I am not devaluing the purpose of security and
security technologies. Indeed, we need our firewalls, our IPS, AV, and mail filtering
gateways. But we need these things when we actually have assets for which such complimentary
security is necessary.

Remember, there is no security.

There are only assets. And only once we understand our asset posture
should we begin layering in security. Otherwise, we’re setting ourselves and security
up for failure.

– Jason Pittman, M.S. Network Security