Just before the New Year, I wrote about how the approaches we take with security today aren’t effective at protecting our organizations from skilled and dedicated attackers. Around the same time, Bruce Schneier said in his monthly Crypto-Gram :
“A short history of airport security: We screen for guns and bombs, so the terrorists use box cutters. We confiscate box cutters and corkscrews, so they put explosives in their sneakers. We screen footwear, so they try to use liquids. We confiscate liquids, so they put PETN bombs in their underwear. We roll out full-body scanners, even though they wouldn’t have caught the Underwear Bomber, so they put a bomb in a printer cartridge. We ban printer cartridges over 16 ounces — the level of magical thinking here is amazing — and they’re going to do something else.
This is a stupid game, and we should stop playing it.
It’s not even a fair game. It’s not that the terrorist picks an attack and we pick a defense, and we see who wins. It’s that we pick a defense, and then the terrorists look at our defense and pick an attack designed to get around it. Our security measures only work if we happen to guess the plot correctly. If we get it wrong, we’ve wasted our money. This isn’t security; it’s security theater.”
He is obviously talking about airport security, but the principle holds for information security as well. We build defenses against yesterday’s problems, perpetuating the status quo, while the criminals pick their targets and create new custom attacks that bypass those defenses.
As I was thinking about this, Mike Rothman at Securosis wrote a blog about “The Greenfield Project: How Would You Start Over”, and I realized that he and I were thinking the same thing. At the end of my post about security failures, I asked how we make 2011 different than the years that have preceded it, and I think Mike is on to something.
Next week is the RSA Conference. At the show, I guarantee you that not one vendor will have a sign up proclaiming, “Guaranteed to stop attacks from 2005!” But frankly, many of them are banking on the fact that you are still fixated on problems from the past. So let’s collectively prove them wrong. With that in mind, I have some New Year’s Resolutions that I think we should all follow, starting at the RSA Conference.
- Get rid of our assumptions – Whether you are at the conference or not, let’s get rid of our pre-conceived notions about what is needed or not in security. Approach all of our security issues with an open mind, as opposed to going automatically down the well-worn path created by our assumptions.
- Remember that no solution is perfect – There is no such thing as a perfect anything. Even the things that are very, very good at what they do have a weakness that can be exploited. That’s why good security is built in layers, where the weakness of one layer is protected by the strength of another. That leads to my next resolution,
- Try to think like an attacker – When we look at the new announcements that are sure to happen next week, think about things from the attacker’s point of view and try to imagine how it could be exploited. Because the more exploits we can come up with, the better we will be at creating those layers.
- Don’t only pay attention to the established players – There will be a lot of great ideas coming from non-traditional players, and we do ourselves a disservice by just flocking to the industry giants. As security continues to be mainstreamed, security ideas will come more and more from new directions. And finally,
- Let security lead to compliance, not the other way around – Even though PCI did just issue their new guidelines, it is just an iteration. There isn’t a new regulation or mandate that everyone is scrambling to solve. Let’s take advantage of the relative lull to evaluate our security posture and the compromises we might have made in an effort to “get compliant”. We need to get back to recognizing that good security is the right end-goal; and it will naturally lead to both an improved risk posture and compliance with external mandates and guidelines.
That’s it. Let’s use the show as a starting point for changing our thinking in 2011. If you are going, have a great time at the conference, and if you are near the RSA booth, stop by and say hello.