Imagine a war where your enemy is given a prefect replica of each weapon you use. If you shoot a machine gun, they instantly get one. If you use an RPG, they get one. The more you think about it, the more untenable it becomes. That’s what our cyberwarfare looks like. Code is code, good and bad. But take our example one step farther and realize that every evil piece of code resides in the wild and can be aggregated with techniques and practices to develop ever-more sophisticated attacks.
Security is changing. We see it everywhere. It’s becoming INSTITUTIONALIZED. That scares me. Too often we begin to embed practices prematurely. A great example – we’ve institutionalized strong passwords. It will take decades to get rid of them. They’re an oxymoron. If passwords are something an individual knows that we want to use for authentication, strong passwords are a security violation because they’re something the user DOESN’T KNOW! They have to be written down somewhere. They’re tokens. But today’s compliance software tests and makes sure every user has a password they have to write down.
Now we confront STUXNET and the A/V vendors say it’s a new world of Advance Persistent Threats where signatures have little value but we’ve institutionalized them and they eat up our budgets, create a false illusion of security and can’t do anything at all when we send encrypted traffic.
I hope you’ll find time to join us at a Strategy to Reality workshop soon. Five years ago we addressed SCADA training, seven years ago we talked about the failure of strong passwords and last year we covered the covert channels we’ve created by introducing VoIP and leaving it out of the classical security architecture.
It’s a start ….
No matter what level you’re at, you need to stay aware of how technology transitions are creating new exposures. You need to be thinking about all the elements of your enterprise exposed to the net. You need to understand that there are serious scientists working for bad guys.