Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Secure to the Core

January 23, 2003
By Greg Shipley

>> continued from previous page

Old Shortcomings Still Hurt

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Cover Your Assets
	Old Shortcomings Still Hurt
	Executive Summary
	The Legal Beast Begins to Stir
	Epoll Results

If we were to apply the average infosec strategy to the world of physical security found at, say, a bank, we would wind up with a large building equipped with titanium reinforced doors. However, those doors would remain ajar, and burglar alarms would squawk at every tenth customer. Inside would be tables piled high with cash, appropriately marked "please do not touch." Finally, the lights would be off most of the time to ensure that security guards remained only moderately effective at protecting the piles.

This scenario sounds absurd, but the harsh reality is that the digital world doesn't stray far from this model. Most security efforts are perimeter-centric, lack robust internal controls and are not monitored sufficiently. But just as bank security has evolved to include controls on both the perimeters (using strong doors and walls), and internally (safes), shouldn't other organizations protect their digital assets similarly?

While most organizations do employ some internal controls, such as authentication mechanisms, file-access-control lists and the occasional network-segregation effort, the effectiveness of these controls is often lacking. Traditional internal controls are becoming less effective; modern-day attack methods usually exploit some type of application or OS flaw--flaws that let intruders bypass other protection mechanisms undetected.

For example, a basic Sun Solaris system may use proper file-level access controls in addition to strong authentication mechanisms, but if further precautions have not been taken, last week's RPC (remote procedure call) service vulnerability will let a remote attacker walk onto the machine as root, essentially turning over the keys to that machine's kingdom (and data).

Another common failure is deploying what might be perceived as a defense-in-depth implementation when, in reality, the deployment still possesses a single point of security failure. Take many Web-based e-commerce applications, for example: While a given deployment may involve firewalls and intrusion-detection systems, if the application requires a single user name and password combination to access critical data, does the strategy truly possess any depth? How many effective controls sit between an intruder and critical data sets?

Traditional perimeter-centric and attacker-centric protection models face future problems as well. Still in the making is one of the biggest Challenges: Web-services. As companies collaborate, and internal systems engage in higher levels of interoperability with foreign systems, one organization's lax attitude is another's security nightmare. The ever-evolving perimeter, combined with components, subroutines and data exchanges that organizations no longer control will bring new meaning to the phrase "target-rich environment."

Loss Costs

click to enlarge

Other people's problems invading your computing environment won't be the exception, it will be the norm. Technologies such as SOAP and XML-RPC promote asset-centric data sharing, rendering most perimeter controls useless. Perimeter- and attack-centric models won't help here: Organizations must move to more asset-centric controls or face increased risk and exposure.

Many organizations are seeing the first wave of these threats, albeit as scaled-down versions, in their extranets. For example, the outbreak of automated worms such as Nimbda left many companies in the precarious position of having third-party systems attacking their own internal machines. The problem resulted from Microsoft IIS-based systems that were owned and operated by third parties, resided on local networks and were used by local users but hadn't kept up with the latest patches. The result: An outsider's negligence caused damage to internal resources--resources that did not fall under the protection of perimeter controls. Further network segmentation, and more tiers of defenses, would have helped prevent these situations.

Looking Ahead

The next step is a big one one for most security staffs, and ingrained legacy security models can present large obstacles. Many of today's infosec strategies are rooted in concepts developed decades ago, and while these concepts still apply to components of a successful program, they do not provide the framework for a holistic security model. They certainly don't incorporate the triage concept.

So should corporations stop purchasing firewalls? Should they move users into their DMZs and ditch their network IDSs?

Certainly not. However, they should move many of the tools and techniques used at the perimeter closer to critical assets. Organizations would be wise to invest some energy in first determining what they are protecting, then analyzing how best to protect it.

Greg shipley is the CTO for Chicago-based security consultancy Neohapsis. Write to him at gshipley@neohapsis.com.