At the RSA Conference Europe 2012, Joshua Corman gave a Key Note talk on the question whether security is getting better. To his opinion, the answer is no: we are focussing on the wrong issues with the wrong tools. Instead of following industry best practices and obeying to compliance, we need adaptability and security intelligence.

Most professional security is built around information risk management and compliance. Of those, the latter often takes the form of a check-list of best practices an organisation has to follow in order to gain a regulatory “seal of approval”. The rules a company needs to be compliant to are often tied to the respective industry or self-induced to show professionalism towards (potential) clients.

On Which Side Is the Auditor?
The problem with best practices is that they merely gave a baseline. In other words, if everyone follows a “best practice”, it really is a minimal practice. Solutions gain this status once they have proven themselves. However, at this point, the majority of the adversaries have already moved on to new vulnerabilities. Hacking is about finding the outliers within the system. On the other hand, a defined standard covers the known problems, not the creative attacks.

By complying to a set standard, you give yourself a false sense of security. As many people in the field of information security know, it is hard to sell security, but it becomes even more difficult when the CEO states he is compliant and, thus, “secure”. Even worse, — for the more cynical readers — being compliant gives plausible deniability to negligent senior management.

Joshua Corman asked himself: on which side is the auditor? We know for sure he is coming along and he will present a large bill. At the same time, security gains only marginal from the exercise. For this reason, being audited feels like being attacked.

You Will Be Hacked
It is a known fact that the large majority of all attacks will succeed when an adversary has enough resources. Therefore, it is not much of a surprise that the main reason for getting breached is whether there is an attacker that is willing to spend his resources on you. This does not necessarily mean that your fate is in the hands of the attacker, it means that security is a game of limited resources (5 October 2012), on both sides.

In the end, an adversary is result-oriented. He has a goal and wants to achieve this, whether it is money or defamation. As much as the defence is looking at the best balance between threats and solutions to be as cost effective, the adversary is looking for the cheapest and most efficient way to capture the flag. In a world of unlimited resources, this means that the defender will always lose. Luckily, this is not the case.

Play the Game of Adaptable Security
To improve security, it is necessary to fundamentally change our approach to security. The age of reactive defences is finally coming to an end and compliance is not a security mechanism. We need adaptable and intelligent security. We need to play the game.

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *