Tuesday, November 15, 2011

The Three Flavors of Security


A boss once told me, “In a ham and egg breakfast, the chicken is involved, but the pig’s committed”.
With security, there are three separate groups which have fundamentally different views on how to provide security.  Two are involved, one’s committed. 
We can learn a lot by considering how each views security and how integrating all approaches as opposed to focusing on a single one provides better security.
Engineering
First, there are the builders: the engineers, designers, coders, testers, and integrators.  They approach security as something you build.  They expect the attacker to know everything about the system minus some minimal authentication information.  They fix code, secure configurations and repeatedly test to make sure everything is perfectly secured.  They are involved.
Intel/Counter-Intel
They are the sensors and they see security as a sensor: to secure something, hide it.  Intel documents all the places where people didn’t hide things and were consequently compromised. 
Therefore counter-intel believes nothing can be perfectly secured, so instead it is best to do everything in your power to prevent the attacker from gaining information.  The engineers abhor this approach as “security through obscurity”.  Intel and counter-intel are involved.
Operations
They are committed.  Operations receives the output of engineering,  intel, and counter-intel and has to make it work.  Security is not their job; it allows their job to happen. 
As such, they are likely to ignore any security that impedes operations.  They know their systems are imperfect.  They know they can’t prevent information from getting out there. 
Instead, they strive, not to be perfect in either the intel or engineering way, but simply to be better than the attacker.  They solve problems procedurally and will substitute labor for technical solutions, (i.e. incident handling instead of an IPS). 
Any sound security solution needs to have a little of each.  Because operations is committed, all security needs to support them.  However, not all problems are solvable procedurally or with human capital. 
Engineering is required to provide operations the tools they need as well as to provide systems built to slow down the attacker as well as fail gracefully when compromised.  Intel is needed to provide operations information to help them orient and act. 
Counter-intel is needed to help operations slow the loss of information.  Only when all areas are working in concert for the common operational goal, is security realized.

Tuesday, November 1, 2011

Balkanizing the Internet


In light of the UK cyber security summit, I thought it might be appropriate to discuss the balkanization of the internet.

This is not a story about where the internet should go, or could go, but where it will go.  Market forces will simply guide us to this end.  Honestly, that's probably OK.

The internet is really not one contiguous environment.  Instead, due to the nature of service contracts and peering agreements, it's a mesh of interconnected information systems.  These information systems are already undergoing a balkanization as we speak.

Companies require business only be conducted within their network.  ISPs require strict agreements as well as providing some minimal security protections.  VPN services provide a completely open connection in which you provide your own security.

Some governments attempt to completely control the content of their information systems.  The FBI even suggested an alternate internet for critical systems.

In the end, what is important is that we explicitly recognize what is going on.  Through multiple technologies (remote desktops/shells, VPNs, hosting services, etc), we have the ability to choose an information system or systems to exist within.

We may choose to conduct our day-to-day personal network use within our home information system, buried within our ISP information system, buried within our country information system.  We may choose to host a website within a information system specifically designed to protect web servers.

We conduct our business duties through a VPN to our corporate network.  And we have one system residing on a VPN to an uncontrolled provider who does not restrict our actions but offers us no security.

At the conference, hopefully those leaders in attendance understand that they are making agreements about how their country or corporate information systems will interact with each other. 
However, they must realize that there will be information systems which will not agree to their rules, (and which they can then choose to defend themselves against).  They must also understand that people may not choose to agree to their terms for existing within their country or provider information system and instead have the choice to exist in another.

Thats not to say that people won't have to pay for their physical connection, but in most places there are multiple options (cable, DSL, dial-up, satellite, cellular, RF/wimax/wireless, etc).

And even if you are restricted to a physical provider, no group has ever been able to block people's connectivity.  The ability of malware to circumvent even the best companies' security, or people to circumvent the great firewall of China, bears this out.

There is great potential for companies and countries to offer information systems which provide varying services (security, QoS, etc) in return for the member being burdened in various ways (payment, use agreements, etc).

If we ignore the inherent balkanization as well as people's freedom of choice, the internet will grow, but without the clarity which could provide people, companies, utilities, and governments the service and security they need at burdens they are willing to accept.