Information security is in the news a lot at the moment, what with the theft of key data from RSA and the resulting attacks on US defence companies, Sony's many problems, and Lulzsec's rampage across the internets…
And while I applaud that businesses and networks are starting to realize that they need to be secure and that they need to ensure their users security, part of me continues to wonder if we're focusing in the right place - and if the current spate of attacks is actually making us look at the wrong pieces of our security environment.
The attacks on Sony and the like have been relatively conventional – a mix of SQL injections and distributed denial of service. They're the Internet equivalent of ram raiders with a JCB, smashing into targets and causing significant collateral damage enroute to whatever criminal, political, or nihilistic aim. Fixing the holes that let in those attacks is relatively easy, after all these aren't new techniques and amelioration is relatively low cost (and certainly low cost when compared with the billions of dollars Sony has lost).
What I'm worrying about are the more complex attacks, the low and slow sneak attacks like the one that stole what’s suspected to be the DNA of RSA's token security system – and then used the stolen information to attack at least two major US defence contractors. They're much harder to spot, much harder to defend against, and in the long run much more damaging – as they're likely to be the result of state or state-sponsored attackers looking for key intellectual property or political information (much like the still ongoing Aurora campaign that targets Gmail accounts). These attacks are hard to spot, and harder to block – especially if information is leaking out of your networks just a few bytes at a time while an intruder's software sits hidden on a trusted server.
To combat these highly engineered attacks we need to develop new security models and architectures that focus on securing information, not on infrastructure. They mean changing the way we thing about working with information, using contextual tools to add new layers of security (after all, I shouldn't be trying to connect to a secure data store if my key card hasn't opened the door into the building, or if my calendar says I'm on a client site).
While passwords are an anti-pattern, they're not going away quickly. Instead of being the keys to the kingdom, they need to be just part of a set of security tools. Used in conjunction with devices like the TPM (itself an important part of ensuring the security of underlying operating systems and hypervisors), passwords can unlock negotiated key exchanges that make every session's encryption different. Linked to smartcards and to two-part authentication systems (perhaps using smartphones as an additional security channel), passwords become less risky and more flexible – and hopefully less prone to the effects of GPU-accelerated hash cracking tools that make it essential to use something stronger than 8 character full-character set passwords…
Systems themselves need to be considered differently. Trust isn’t implicit in location – it’s a function of utility and of need. System A shouldn't be able to connect to System B just because they're in the same data centre. They should only be able to connect if they're part of a workflow (and then only to a limited set of data using role-based security models to ensure that the right data is shared with the right systems). An effective identity system is part of this approach, along with strong encryption and certificate-based secure network protocols. Technologies like 801.x are important ways of locking down networks in a controlled manner, while log search engines and tripwires need to be deployed to ensure that the unusual – no matter how small – is noticed and examined. Even the slightest suspicion of an intrusion should mean a lock down and a risk audit.
Yes, it’s a more paranoid approach, but when the crown jewels are walking out the door and you don’t even notice they've gone, paranoia starts making sense.