In the first article in the series, we talked about how when you don’t understand your attack surface, too much security can actually make you more vulnerable and undermine the efficiency of your organization’s operations. Now we will look at problems caused by unbalanced security, which will lead us to the third and final installment on security solutions that fight for the same resources.
Your Security is Unbalanced
“Security is about balance,” says every security cliché everywhere. But that cliché refers to business and not security itself. It means that with too much security, apparently costs, missed opportunities, and inefficiencies can quickly outweigh profits.
Too little, and apparently costs and loss can quickly outweigh profits. There may be some study on that somewhere that proves or disproves that sentiment but one thing is for sure, unbalanced security will certainly hurt your security.
Unbalanced security is when your security increases your attack surface. And it’s normal. You see, every time you add something to your organization you are increasing its attack surface. Even security measures. Then you need to add more controls to compensate for the newly extended attack surface.
But really you need to add the right controls in the right way to compensate without bloating. Now while that may not sound like it’s that complicated to do, it is because it requires a lot of minute attention, measurements and looking at the big picture all at the same time.
Even worse, sometimes the attack surface is increased out of band which means that you might open yourself up to an attack you didn’t even consider because it’s not in the same scope you’re looking at. That can be as simple as a new authentication policy leads to employees writing down passwords on paper (out of band). But it’s hard to determine all the possible ways security can change the attack surface, especially out of band. It’s become probably the biggest unaddressed problem in security.
It gets more complicated still. You see, even if you manage to get balance, you still need to deal with future changes. Any changes to that beautiful, well-balanced ecosystem you built will bring trouble. And by changes, we don’t mean new interactions, as that should be accounted for already. No, we mean updates, patches, and new installs.
Anything you put into the system that will change what you had can upset the balance. Which is why you wouldn’t despite the arguments from the rest of the security industry yelling PATCH! UPDATE! That’s because that practice is based on the premise that nobody balances and remains static. But many could.
They just need to make sure changes happening within the balanced framework are already compensated. For example, you wouldn’t balance the security of a desktop without taking into consideration the installation of new applications and the updating of old ones for improved features. So your compensating controls would already address that and the increase in that attack surface would be self-contained. However changes to your security software doing the controlling would not be self-contained.
Furthermore, adding controls means more changes to the system and more things that can go wrong. There are risks of conflicts, denial of service, loss, inefficiency and leaks. Such risk is often normal where we see the threat as worse than the protection, like with malware. However, once you start layering protection, you further increase changes to the system and that which can go wrong. Again, depending on the number of threats, that may be fine too.
In a perfect world, that’s all there is to it. So it isn’t. Enabling automatic updates still means you’re changing the code in your system regularly. With attack-surface-colored glasses you’re seeing periodic, systematic, untested tampering with your controls for a contained system. For a real world perspective, if you systematically and periodically alter the protective systems of an organism you get something between unpleasant side effects and cancer.
Now try periodically and systematically changing the controls for multiple systems that interact with each other through multiple processes. Call it patch management, vulnerability management, malware protection updating, or whatever you want because if the side effects of one system is unpleasant, imagine the scale when it’s a whole network and they’re interdependent.
And there’s still another way that security can be unbalanced. It’s when you have too many of the same controls. What this means is that people who use their gut or intuition will see they have “a lot” of security (that’s me sparing no expense on the technical security consultant terminology here) when really they have more of the same security.
For example, most of the security solutions you find out there are based on authentication. Perhaps it’s a psychological thing. People associate authentication with keys and locks.
So there is a drive to have better, stronger, faster authentication schemes to improve security. Now authentication comes in many forms.
Any system that only allows or denies access whether it’s for a packet or a person is controlling via authentication.
That includes every switch, router, host-based firewall, network based firewall, HIDS, HIPS, NIDS, NIPS, AV, smart card, badge, lock, and key ring. And so many more I haven’t listed.
Every authentication scheme has its own set of weaknesses. Some can be brute-forced, some rely on human memory, and some are inefficient and can be their own DoS. And some can be just fooled since authentication is based on identification and authorization which are both highly susceptible to human error.
According to research for the OSSTMM 4, there are at least 10 types of operational controls, one being Authentication. And each control protects against a different category of attack. Therefore, layering your security with the same type again and again still leaves you open to at least 9 other categories of attacks in that same vector!
So the typical network protected with authentication and encryption is only protected against 3 types of attacks (because encryption is generally implemented so that it provides 2 types of controls, Confidentiality and Integrity).
If your resources are all going into maintaining 30% protection, isn’t something wrong? Which brings us to our next installment in this series: Security Solutions that Fight for the Same Resources – coming soon…
So, it’s time to change. There’s better security awareness methods out there worth following at this Troopers workshop. Find me there. I’m open to talk about any of the topics covered in this article if you catch me at an event like Troopers in Germany or RVAsec in Richmond, VA, USA — both coming up soon!
Author’s Note: The information in this article comes from research for OSSTMM 4 and its spin-offs which include the Secure Programming Guidelines, Security Awareness Methodology Manual, Hacker Highschool, Vendor Trust and Security Assessment, and the Desktop Security Matrix, some of which are already publicly available or available to ISECOM subscribers. The difference between ISECOM research like the OSSTMM and security best practices is that ISECOM studies and verifies practices to determine facts as opposed to the anecdotal security found in best practices. OSSTMM is true.
About the Author: Pete Herzog is the co-founder of ISECOM, and as Managing Director is directly involved in all ISECOM projects. In 2000, Pete created the OSSTMM for security testing and analysis. He is still the lead developer of the OSSTMM but has also leads the organization into new research challenges like Smarter Safer Better, the Bad People Project, and the Home Security Methodology. Pete’s strong interest in the properties of trust and how it affects us and our lives has led to trust metrics and has brought ISECOM more deeply into Human Security. In addition to managing ISECOM, Pete taught the Masters for Security at La Salle University in Barcelona which accredits the OPST and OPSA training courses and Business Information Security in the MBA program from ESADE which is the foundation of the OPSA. In addition to security, Pete is an avid Maker, Hacker, and reader.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Continuous Security Monitoring: An Introduction
- Reacting Faster and Better with Continuous Security Monitoring
- Proactively Hardening Systems: Defining the Attack Surface
- Top Five Hacker Tools Every CISO Should Understand
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock
In-text images courtesy of Marta.com