From Source to Secure : IT Industry

The Vicious cycle

RockyH — Wed, 02 May 2007 15:20:00 GMT

In the IT Security area there seems to be this lack of belief in the old adage, It Can Happen To Anyone. Normally, before a company will get off their collective butts and do anything about their software security, they have to experience an incident. There are all sorts of cliche's we can put here:

A stitch in time saves nine
Learn from the mistakes of others
ad. nauseum

But I think we can agree that cliche's are by their nature things that people tend to think of as well...cliche and don't do anything about. New Flash, cliche's become cliche's for a reason, they usually hold some tidbit of wisdom that is worth paying attention to.

So what does this have to do with the viscous cycle? There is an inevitable series of things that happen after a company experiences a security breach. They are illustrated in the diagram below:

It all starts with a News Headline. As I've said at many of the talks I've given, what I want is to prevent your company from becoming a headline. A semi-wise person once said, "There's no such thing as bad press." WRONG! That only applies to Actors and Politicians. In the IT Industry it's usually all bad press. once the breach leaks into the public eye through press, or regulatory disclosure (http://www.privacyrights.org ) the company and all of it's potential insecure practices come under the microscope. What usually follows is the tossing away of a good reputation.

When the dirty laundry is aired out, the company suffers one of those intangible losses of reputation. In business, more than most places, your reputation is a deciding factor on your success. So if your reputation is destroyed, the domino effect is that you will suffer losses on the bottom line as well. Why does this happen though? After all a reputation is a pretty flimsy thing in today's "less than honorable society so what's the big deal?

If you lose your reputation, your customers, or potential customers will not trust you. It is this golden facet of the relationship with your customers that is so important in today's fast-paced security conscious world. Sure there are some places that don't have to worry about their customers going elsewhere, say the IRS/ATO/DIR (insert the tax collection agency of your choice here). So they probably don't have to worry about this kind of stuff right? WRONG! What happens to them, that is instead of their customer going elsewhere, they undergo one of those new business terms - Reorganization. Either way, you essentially lose out on either potential business, or your job.

So a lack of trust directly relates to a lack of customers. Now this one is pretty simple. No Customers = No Business. However in our ever law-suit-savvy world, there's a new threat emerging.

A lot of people, especially when backed by regulatory red tape like SOx, HIPPA, and others are turning to their lawyers to help 'fix things' when someone experiences a data breach. This usually takes the form of million dollar lawsuits against the companies who experienced the data breach. Of course, when someone sues a big company and gets some money out of it, that makes the news, and we're back at the begriming of the circle again.

So what do we do about this? Well for a long time now we've been hardening the OS layer and the Network layer against attack. To be honest, it's in pretty good shape now. While malicious hackers are very smart, they are like mode code jockeys, lazy. So they tend to go for the weak point, the application layer. No amount of firewalls, IPSec and good intentions are going to protect a company against sloppy insecure programming practices. The Application Layer is the weak link in the chain.

I always fid it a bit ironic that over 70% of the typical IT Security budget is spent on infrastructure, yet over 75% of attacks happen at the application layer. We're spending our money in the wrong place. Infrastructure solutions will always have a problem when it comes to knowing what is acceptable to an application and what is not. No matter how smart the firewall is, it will never know if a SQL string is acceptable input to the application or not. Only the application will be able to inspect and filter the input with any reliability.

We need to focus our attention where it will actually do some good, at the application layer. Don't get me wrong, firewalls, IPSec, and IDS are very good things to have, but they can't be your only line of defense. But we need to concentrate on getting security at the points it's going to do us the most good. There are a couple things you can do to improve your security posture:

Invest in up-front activities:

Threat Modeling
Design Review

Put your developers through secure coding training
Use Secure Deployment practices
Use host level scanning to ensure your servers are configured to security best practice.

Put an end to the cycle!

IT Around the World - Vietnam Part 2

RockyH — Fri, 10 Nov 2006 21:26:00 GMT

So for part two of this I'd like to discuss a different aspect of IT in Southeast Asia. One of the things that defines most IT industries is their financial environment. This is true both vertically, and horizontally across the industry. For example,...(read more)

IT Around The World - Vietnam Part 1

RockyH — Fri, 03 Nov 2006 01:42:00 GMT

Recently I was invited to participate in a workshop that was put together by the Ministry of Post and Telematics in Vietnam (http://www.mpt.gov.vn/ page in Vietnamese). MPT is a government organisation that is progressing IT in Vietnam. I was asked to give a short presentation on two topics, Digital Media, and Cyberspace Security. When I was asked to participate, that’s actually all I was given to go on for my presentations. But the presentations aren’t what this article is about.

When I arrived I was escorted around by some of the MS employees in Hanoi. It was a good thing they were able to take me around as I only speak enough Vietnamese to know how to ask for Oranges at the market. I was very curious about the IT Industry over there and how we could help them. I knew that it is considered an emerging market, but I didn’t know the extent of the maturity level of the industry. Understandably, it is in its infancy and has a lot of growing to do.

Until recently, Vietnam hasn’t been very open to western companies, business and even tourists, but that is all changing. One of the things that they are hungry for as a country and a society is IT and contact with the outside world. This was part of the focus of the MPT workshop. They wanted to know what they needed to consider, and what they needed to do in order to enable the country to grow in the IT industry. One of the things we discussed is broadband technology.

When I first arrived, I fully expected there to be little broadband in the country, and even less in the way of Internet activity. I was pleasantly surprised to find that broadband is actually quite common. But there is a chicken and the egg syndrome happening. Digital content is the way media is going now. News papers, radio, and even TV are going digital. However in order to support the distribution of this digital media, broadband pipes have to be big enough to support its consumption. So while broadband was fairly common in Hanoi at least, the system didn’t have the capacity to carry lots of digital content to users.

But the important thing to see is that the government is aware of this, and is planning to do something about it. They want to know where to focus their efforts on improving their infrastructure to support the future. Many developing countries focus on how to get caught up with ‘Now’, Vietnam is working on how to be ready for the future. It’s great to see. I'll have a couple more posts about IT in Vietnam, and Australia in this series. Stay tuned.