For example, a basic Sun Solaris system may use proper file-level access controls in addition to strong authentication mechanisms, but if further precautions have not been taken, last week's RPC (remote procedure call) service vulnerability will let a remote attacker walk onto the machine as root, essentially turning over the keys to that machine's kingdom (and data).

Another common failure is deploying what might be perceived as a defense-in-depth implementation when, in reality, the deployment still possesses a single point of security failure. Take many Web-based e-commerce applications, for example: While a given deployment may involve firewalls and intrusion-detection systems, if the application requires a single user name and password combination to access critical data, does the strategy truly possess any depth? How many effective controls sit between an intruder and critical data sets?

Traditional perimeter-centric and attacker-centric protection models face future problems as well. Still in the making is one of the biggest Challenges: Web-services. As companies collaborate, and internal systems engage in higher levels of interoperability with foreign systems, one organization's lax attitude is another's security nightmare. The ever-evolving perimeter, combined with components, subroutines and data exchanges that organizations no longer control will bring new meaning to the phrase "target-rich environment."

Loss Costs click to enlarge

Other people's problems invading your computing environment won't be the exception, it will be the norm. Technologies such as SOAP and XML-RPC promote asset-centric data sharing, rendering most perimeter controls useless. Perimeter- and attack-centric models won't help here: Organizations must move to more asset-centric controls or face increased risk and exposure.

Many organizations are seeing the first wave of these threats, albeit as scaled-down versions, in their extranets. For example, the outbreak of automated worms such as Nimbda left many companies in the precarious position of having third-party systems attacking their own internal machines. The problem resulted from Microsoft IIS-based systems that were owned and operated by third parties, resided on local networks and were used by local users but hadn't kept up with the latest patches. The result: An outsider's negligence caused damage to internal resources--resources that did not fall under the protection of perimeter controls. Further network segmentation, and more tiers of defenses, would have helped prevent these situations.

Looking Ahead

The next step is a big one one for most security staffs, and ingrained legacy security models can present large obstacles. Many of today's infosec strategies are rooted in concepts developed decades ago, and while these concepts still apply to components of a successful program, they do not provide the framework for a holistic security model. They certainly don't incorporate the triage concept.

So should corporations stop purchasing firewalls? Should they move users into their DMZs and ditch their network IDSs?

Certainly not. However, they should move many of the tools and techniques used at the perimeter closer to critical assets. Organizations would be wise to invest some energy in first determining what they are protecting, then analyzing how best to protect it.

Greg shipley is the CTO for Chicago-based security consultancy Neohapsis. Write to him at gshipley@neohapsis.com.