written by Pierluigi Stella
The general issue of security needs to be put into proper perspective – anything made by humans can, and will be, broken by humans; and in reality, those who break always have an advantage – they’re working with something that exists, and have the luxury of time to try and figure out how to break it. Whereas those who protect are in the opposite position – they’re always on the defense, they’re called to come up with new ways to create fences and perimeters that will withstand the constant assaults. Never has it happened in the history of humanity have defenses lasted through time. Even the Great Wall of China, albeit still standing, in reality failed its purpose; it’s there simply because at some point it became useless, obsolete, so no one even bothered to attack it.
Enough of philosophy though. Can we stop or prevent the attacks? No. Can we at least try to make their life difficult? We certainly can.
Unfortunately, the actual situation of cyber defenses is far from where it should be. Recent attacks on federal government data have clearly demonstrated that even those agencies are still ill prepared to fend off attacks. It isn’t that they’re not doing enough; essentially, in many cases, they’re doing it all wrong. Many private companies, even today, in 2015, are running firewalls that were obsolete 10 years ago, they’re not running IPS, they’re not running AV at the gateway, or web content filtering; they’re not scanning encrypted traffic. In a time when even a google search is encrypted, pretending that viruses can’t come through encrypted streams is ludicrous.
I ask you, how many companies today are actually scanning for viruses at the gateway through encrypted streams?
I often have a hard time convincing my own clients that this is vital; they don’t want to take the time to do the setup necessary to implement such protections. They do not want to take the time to troubleshoot the few possible issues such implementation may bring about. Security takes time and patience, and not everybody is willing to put in the effort required.
Furthermore, many companies still try to do security on their own as if you could invent security expertise overnight; they don’t take security seriously, that is, until it hits them where it hurts – they lose something and, ultimately, they lose money and possibly the entire business.
As a managed security provider, we run into such situations every day. We acquire a new client, we analyze the configuration of their old firewall, and we realize there wasn’t even one. In this day and age, they’re still considering the LAN a trusted area, allowing all traffic outbound, opening ports right and left where it simply isn’t necessary. They’re still adopting security tactics that were already obsolete in 2002. Attempting to do security without spending money, treating it as, well, as a nuisance. For as long as this continues, hackers will always have the upper hand.
You ask if we can prevent or stop the attacks.
I would ask in return, can we ever hope to get ahead of the curve?
Right this moment, we are left far behind, eating the dust. Hackers have basically demonstrated that if they want in, they’ll get in; period. To provide an idea of the extent of the issue, consider that we’re seeing more than 300,000 new threats per day. Think about that for a second; how many security people can you possibly ever hire to mount protection against 300,000 new threats every single day? AV companies themselves have lost the battle and conceded defeat long ago. They’ve been trying to create new technologies that could recognize threats without having to create signatures. In fact, many experts believe signatures are obsolete, and I tend to partially agree with that statement.
I say partially because signatures are still useful in recognizing existing, well known threats. Imagine if we threw away all antibiotics because they can’t stop that new bacteria we’ve detected but then you get strep throat and you can’t be cured? Existing signatures are still very pertinent, to ensure that known and well recognized threats don’t destroy your network. For as much as there are 300,000 new threats every day out there, there are also more than 15 million well known threats that CAN be stopped by an AV. We don’t pay much attention to them because the AVs are stopping them; but I assure you if we removed the AVs, those threats would join the legions of new threats and become a horrendous nightmare for us all.
To find out how we should be approaching the issue of security, watch out for the concluding part of this post which will go live on the blog on Friday.