Security cannot rest on one element

We believe your IT systems can be secure; the first step is to expand the scope of your commitment. Don't settle for a security system based on one product.

We've been graced with the opportunity during the past two-and-a-half years to deliver security information that we hope will motivate and inspire you to take action.

What we have found over this time is that many still don't understand the need. So with the new year upon us, we challenge you to embrace knowledge, information, and full disclosure as your salvation, and to get the picture that technology -- specifically firewalls and IDS (intrusion detection systems) -- by itself does little to secure your company's digital investment.

One of our pet peeves is the view that full disclosure is somehow the cause of our security ills, that knowledge of vulnerabilities and how to exploit them is somehow to blame for their rise. This is absurd. Here's one of the misleading arguments: "If full disclosure worked, we'd have fewer vulnerabilities. Instead, we have more today than ever before; thus full disclosure doesn't work."

Knowing in our hearts that the rationale was fundamentally flawed, we sought out some statistics. We went to Hobbes' Internet Timeline Version 5.2 and Carnegie Mellon University's CERT Coordination Center and mapped the number of websites on the internet with the number of discovered vulnerabilities during the past six years.

We found that they are proportional: As the number of computers on the internet increases, so does the number of vulnerabilities. And, in fact, in two of the past six years (1994 and 1996), the percent increase in websites on the internet dwarfed the number of vulnerabilities, which suggests that our ability to contain vulnerabilities is improving.

The bottom line? Full disclosure exposes vulnerabilities before an attacker does and allows administrators and vendors to plug the holes. Full disclosure works by giving vendors the incentive to take security seriously at the beginning of the development process rather than after the fact. Full disclosure is the only way to secure computers in the long term.

Our feelings on NIDS (network-based IDS) are not industry secrets. We were among the first to publicly revel in the technology's advantages and place in the industry. In 1998 we reviewed the first serious public comparison of NIDS products (by our accounts) in InfoWorld. But time and age have matured us.

We vented a few weeks back about limitations of the NIDS technology and declared it dead. The motivation behind our stance is simple: It's the truth. We engage organisations every day on issues of security and, despite our weekly column advice to the contrary, we are often told, "You'll never be able to penetrate our company; we have NIDS." But NIDS are at best video cameras that can be avoided, subverted, blinded, tricked, and fooled. The sooner you understand their limitations, the quicker you can get on to securing your environment. Now, do we use NIDS? Of course we do. Do we depend on it to keep us secure? Absolutely not!

We have not yet mentioned HIDS (host-based IDS). For the most part, the limitations of HIDS are significant as well. The best HIDS and NIDS can offer is a record of the event. A knowledgeable security practitioner is still needed to review the information and determine an incident-response action plan.

Preventive technology from newly named Entercept Security Technologies, formerly ClickNet Security Technologies, is the only hope we see in the industry for IDS. The technology not only includes but also goes far beyond the "detect and alert" mechanisms of NIDS and HIDS by providing a barrier to your operating systems and applications that prevents the attacks (known and unknown) before they occur.

Yet another burr in our saddle is the assumption that firewalls fix the security problem. Ask your security manager what security measures are in place. If the answer is only "firewalls," show that manager the door -- he or she hasn't a clue about maintaining security. As we said when we started writing this column in 1998, security is a process, not a goal. You cannot rely on technology alone to provide any significant comfort. Firewalls are misconfigured every day.

But even if you could configure and manage your firewall perfectly through strong policies and security updates every minute of the day, you still need to allow traffic to pass through. Web, DNS, and mail are just a few of the applications that must flow into your network, and e-commerce applications are designed every day with little or no security in mind. So even if you have the best-configured firewall on the market, an attacker can take advantage of an application's design weaknesses to gain unauthorised access. More than 75% of attacks, in our experience, occur despite a site's having a firewall in place.

We believe your systems can be secure; the first step is to expand the scope of your commitment. Don't settle for a security system based on one product. Make changes today that will affect your company's assets tomorrow.

What do you think about the future of security? Send your predictions to security_watch@infoworld.com. Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultancy Foundstone.

Join the newsletter!

Error: Please check your email address.

More about Carnegie Mellon University AustraliaCERT AustraliaEntercept Security TechnologiesFoundstoneMellon

Show Comments

Market Place

[]