"Courage is not the absence of fear, but rather the judgment that something else is more important than fear.
" - James Hollingworth
The scariest Halloween party I ever attended was a few years ago when some eEye co-workers and friends got together for an October 31st costume themed bar crawl. This was an especially scary Halloween because we all decided to dress in 70's workout gear more ridiculous than anything Richard Simmons could pull off on his best day. We hopped from bar to bar enticing crowds of people to join us in jumping jacks and aerobic workout routines. I was truly terrified at the sight of my friends and co-workers wearing shorts that well...they just should not have been wearing, even after multiple shots of Jäger.
The security industry itself, especially how it is often marketed, reminds me a lot of that Halloween night with flashes of spandex and Jäger and fear. There are so many things that are hyped beyond belief in this industry that folks working in IT are told they need to fear and by fear, we in the industry mean, “give us money for our products regardless what is truly going to help you.” The sad part is that in reality there are a lot of serious threats to businesses and consumers, but these things tend to be overshadowed by people telling you Cyberwar and Cyberterrorism are around the corner. The fact is that the real threats that businesses face do not make for nearly the great news fodder that things like Stuxnet and related do.
This Halloween, I want to talk to you about five things you should NOT fear. As advised by the Hollingworth quote above, rather than fearing these things, make it a more important priority to face them by asking, "How am I dealing with these issues?" Unlike Cyberwar and Stuxnet, these five issues have real impact to businesses and consumers all over the world.
- The New Girl in Accounting - Security practitioners have long said employees are one of the weakest links in an organization’s security posture. While people in IT will moan and complain about users, the reality is that we will never solve the user problem. Yes, we will never solve the user problem in terms of making users any smarter than they are today. That is why it is a necessity for both IT and security companies to provide the solutions that save users from themselves. So what are you doing, beyond complaining, to save users from themselves? What is that last line of defense between something malicious and the user's computer? If your answer is you’re still depending on anti-virus technologies, then you should be afraid, and you should start thinking differently.
- Third-Party Software Applications - I started giving a talk more than five years ago titled, "More Than a Microsoft World." This was years before the increase in Adobe and related third-party application attacks, but I was trying to preach to people to start thinking about what to do to secure third-party applications. You have a process for Patch Tuesday and Microsoft but how do you handle Reader, Quicktime, Flash, Realplayer, etc. I obviously failed in my quest to make people take notice because now, after saying this as many times as I could, I am left to say it again: third-party application vulnerabilities are the single most important threat your organization faces. So ask yourself what you are doing about it. Where are the gaps in your patching, vulnerability, host security, and related management processes and solutions?
- Zero-Day Vulnerabilities - Years ago, zero-day vulnerabilities would have been something I mentioned in my opening as a fear that you do not need to fear. They used to be dangerous only to high-end Fortune 100 or government organizations. Times have changed. Zero-day vulnerabilities are increasingly being used in everyday attacks. This is a problem as most organizations barely have a proper vulnerability management process for known vulnerabilities, let alone unknown ones. And did I mention that many zero-day vulnerabilities are found within third-party applications? So what are you actually doing about zero-day vulnerabilities, the unknown, and the unpatchable? How are you mitigating these threats in your environment? If you again say anti-virus or traditional vulnerability management approaches, then I can’t help but quote the cheesy Hackers movie and ask, "What, your mom get you a putter for Christmas?"
- Cloud Security - I hate to use a buzzword like “cloud” after using a buzzword like "zero-day", but the reality is that just as zero-day vulnerabilities have become important, so has cloud security. But, the difference is that cloud security is important because no one knows what the heck it actually means because "the cloud" is developing so rapidly. It is not a matter of people not knowing what “cloud security” is, but what “the cloud” itself actually is. This is an area where you need to take a step back and meditate for a minute on what your business is trying to accomplish, and how traditional solutions compare to "the cloud." That is, should you move to the cloud (as if you have not already) and how are you able to monitor and secure your presence in the cloud? Most organizations do not even know what their presence in the "the cloud" is because using cloud and SaaS applications only require a web browser. There is no software to install and therefore it does not require IT to ever get involved, if marketing or sales wants to move to the cloud whether en mass or for point projects. So, how are you staying on top of where your business is in the cloud and how it is operating?
- Privilege Escalation Vulnerabilities - For many years, people long complained about the fact that in most Windows environments all users were typically running as local administrator. There has been a lot of progress in restricting users’ privileges. This is both because of improvements by folks like Microsoft and by general software developers being smarter about what privileges they require. We are even seeing organizations like Adobe using sandboxing technology to help limit the effects of vulnerabilities within their products. The problem, however, is one that eEye started pointing out many years ago through a series of advisories on privilege escalation vulnerabilities. Back when we first released these advisories (and even whitepapers), people did not take much notice because at the time, most everyone was already administrator. Our point was that we would reach a future when users had lower privileges. It was important for people to realize that when we got there, we definitely were not reaching any panacea and the threat from privilege escalation vulnerabilities would become very real. We are seeing the threat from privilege escalation attacks today in sophisticated attacks like Stuxnet and over the next year or two, we will see privilege escalation exploits used more commonly in everyday attacks just as we saw zero-day vulnerabilities go down market. So what are you doing about it?
While there are many things in the world one might be afraid of, we should never allow ourselves to be crippled by fear (especially by things that the security industry passes off as things to fear). In the grand scheme, most of the problems we face in the world of computer and network security are very solvable, if we can simply get out of our own way. To do that, we must realize that much of what we read in the security press and from security companies is entertainment. It is the sort of fear you can catch watching the nightly news. Typically, the scenarios do not apply to you. What really will help is getting back to basics and staying the course.
Most importantly, I hope everyone has a fun and safe Halloween, whether it is the 70's workout gear spandex bar crawl or trick or treating with your kids. Either way, just remember the words of FDR, "The only thing we have to fear is fear itself