Mike Rothman is skeptical that there will be a “security industry”, and I don’t disagree with him.

I think there will be 0 security professionals in 2012. That’s right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it’s an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they’ll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I’m with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years).

Of course, this leads me to wonder who, exactly they think is going to do security work. And by “security work,” I don’t mean running Anti-Virus or pleading with sysadmins to patch their boxes. That’s Console Jockey work and it will go the way of all other Run jobs–overseas and down to helpdesk pay levels. When I talk about Security Work, I mean the job of determining the appropriate level of risk for the organization, then defining the mix of controls and tools across people, process and technology to actually achieve it.

Senior Executives don’t know. They just want to know that they’re not having to explain incidents to the press and that I’m still pushing back on every task because my budget is stretched (their measure of whether or not I’m “appropriately funded”).

IT doesn’t know either. If anything, I’m seeing the competence trend running in the other direction in terms of what it’s reasonable to expect an “IT Person” to know about the technology they’re responsible for. More and more, it’s getting harder to even find anyone who actually does the work of touching the technology. I can find Project Managers, Relationship Managers, Program Managers, Application Managers, Support Managers, and every other kind of manager under the sun. What I can’t find are SysAdmins, DBA’s, Developers, or Engineers, and I find this disturbing.

For example, in a recent discussion of what should be the required fields in our application inventory tool, the question came up as to whether or not the data center where the production environment resides should be required. The answer was, “no,” because apparently that’s too much for a system owner or application support person to know–what building their app’s servers sit in. I wish this were an anomaly, but I’ve seen a steady increase in incidents like these, and not just at my current company, either.

And what tech talent do see, I increasingly wouldn’t bring back from the phone screen if I were the hiring manager. I’ve seen Web developers who didn’t know the difference between the corporate LAN and the Internet from a network visibility/connectivity perspective. I’ve seen support leads who didn’t know how to connect to the application they supported. I’ve seen DBA’s who didn’t know what an index was! These people don’t even understand fundamental aspects of their own core competency and we think they’re going to absorb a volume of knowledge and skills that most specialists can even seem to master?

So who’s going to do this work? The applications aren’t going to secure themselves. This is a simple fact, and even if the application can somehow be declared “secure” (which is to say, “secure enough”) in a vacuum, as soon as it starts interacting with users and other applications, all bets are off. Once again, someone has to decide how much security is enough for those interactions, either by declaring a standard or doing a risk assessment and determining what’s acceptable and what’s not.

While there might not be “Network Security” or “IT Security” as we know it today, I firmly believe that there are still going to be Information Risk and Information Protection specialists at all levels of the organization. Just because we’re going to either evolve beyond the world of Console Jockeys or get a job with Rothman at Dairy Queen doesn’t mean that Security Professionals are going away–quite the opposite, they’re going to have to actually become professionals.

So is all hope lost? Not necessarily. Clay Shirky had some really interesting observations on social surplus which apply here as well. Social Surplus is time that a society no longer needs to spend on some activity. For example, people worked fewer hours in the second half of the 20th century, leaving time that had to be filled. In response, the United States came up with things it sitcoms and yardwork.

So if you take Wikipedia as a kind of unit, all of Wikipedia, the whole project–every page, every edit, every talk page, every line of code, in every language that Wikipedia exists in–that represents something like the cumulation of 100 million hours of human thought. I worked this out with Martin Wattenberg at IBM; it’s a back-of-the-envelope calculation, but it’s the right order of magnitude, about 100 million hours of thought.

And television watching? Two hundred billion hours, in the U.S. alone, every year. Put another way, now that we have a unit, that’s 2,000 Wikipedia projects a year spent watching television. Or put still another way, in the U.S., we spend 100 million hours every weekend, just watching the ads. This is a pretty big surplus. People asking, “Where do they find the time?” when they’re looking at things like Wikipedia don’t understand how tiny that entire project is, as a carve-out of this asset that’s finally being dragged into what Tim calls an architecture of participation.

Now, the interesting thing about a surplus like that is that society doesn’t know what to do with it at first–hence the gin, hence the sitcoms.

(if you want to know where the gin comes in, go read the essay–it’s well worth the time)

But consider that if we switch the scale & topics from “The TV Watching of Population of the United States” to “the use & maintenance of IT,” and then swap Wikipedia with “IT Security,” then other than the scale of it, the same opportunity is out there, if we can figure out how to drive it.

But is it possible to create a Social Surplus within (Enterprise) IT that would be devoted to both improved excellence and ensuring security, rather than just chopped off as cost reduction?

I want to pick back up on the discussions from a week or two ago about what threats authentication can protect against. The driver for two-factor authentication to protect on-line banking from phishing attacks is that it makes phishing harder, but this has already been broken up to and including Secured Hard Tokens.

As I see it, this should really be a wake-up call that the security industry’s authentication strategy needs to say (among other things), it’s time to get over the obsession with authenticating the User and focus instead on the actual threats. First, we should be deploying & using mutual authentication. The reason that Man-in-the-Middle attacks work is because it’s easy to impersonate a server

Overcoming this inertia is going to be hard, because there are a lot of vendors making a lot of noise about how all we need is stronger authentication, by which they usually mean moving away from free credentials (passwords) to expensive credentials (tokens, biometrics, or commercially-issued certificates) which they, of course, would like to sell us.

That’s not to say that there’s not a lot of value in the second factor, but more in some cases than others. Two-factor, combined with pre-shared keys to perform mutual authentication provides excellent protection for VPN connectivity. But in phishing, Two-factor only raises the bar for an attacker, and only to the extent of filtering out the dumb ones. Even they will get toolkits in six months or so, though, and fraud will return to “normal” levels.

Unfortunately, the reason that free credentials seem to be failing is generally because people lack the necessary sophistication to protect them, not because they’re somehow inherently weak. Application vendors are trying to solve this problem (Both Firefox 2.0 and IE 7 are both going to have anti-phishing features). This may help, but only by minimizing the impact of the weakness between the keyboard and the chair, not the client and the server.

The best way to tackle this problem is to minimize the reliance on the weakest link (the user). I don’t claim to have a solution (other than pre-shared keys or some sort of meaningful large-scale PKI, and anyone who reads this ‘blog probably rolled their eyes as soon as they read those words), but If we can get general agreement that there is a problem, then there will be demand (paying customers) for a solution and one will turn up sooner than later.

Personally (and I know I have a bit of a bias here, being a big de-perimeterization fan), I think that another problem we should be taclking is the that endpoint location should be irrelevant. Within the corporate world, we operate under the paradox that we don’t consider “somewhere you are” to be an authentication factor, then structure most of our risk and security assumptions around which network the endpoints are on (Internet, Intranet, DMZ, etc.). I know it will take significant architectural changes to get to an endpoint-agnostic model, but every journey begins with a single step.

Finally, I believe we should apply security as close to the data as possible, which is fairly congruent to “Location should be irrelevant.” How does stronger authentication move security closer to the data?

As to what we can do about it, I think that promoting protocols which support Mutual Authentication (and using them) should be a key tactical goal for the security profession. This is something we can do today which would will put us ahead of the game longer-term as the security assumptions inherent in “somewhere you are” evaporate.

Eventually, we will be forced by events to secure both high-value transactions and high-volume micropayments (think vending machines). We need to be ready for either or both of those, and the current obsession with stronger authentication isn’t going to get us there.

So here are some Real World goals I suggest we should be looking at.

1. Improved authentication should focus on (cryptographically) strong Mutual Authentication, not just improved assertion of user Identity. This may mean shifts in protocols, it may mean new technology. Those are implementation details at this level.
2. We need to break the relationship between location & security assumption, including authentication. Do we need to find a replacement for “somewhere you are?” And if so, is it another authentication factor?
3. How does improved authentication get protection closer to the data? We’re still debating types of deadbolts for our screen door rather than answering this question.

I just wrapped up the day at the Open Group’s Jericho Forum Annual Meeting.

Lots of good work has been going on within the Forum’s working groups. Unfortunately, other than attending the meetings and carrying the deperimeterization torch back in the office, I haven’t done anything to advance any of it. Many people I speak with looked at the forum’s work early on and wrote it off. I strongly suggest that you take another look if this is an area that interests or affects you.

I think my favorite quote of the day came from Nick Bleech, CSO of Rolls-Royce, who said, “Deperimeterization is happening. It’s not a strategy, it’s an ‘-ization.’ It’s like globalization–it’s happening.”

In the corporate environment, assets can be protected at various levels, ranging from an individual column of a database all the way up to the entire company. Traditionally, IT assets have been protected from outsiders at the network perimeter by firewalls and at the host or application level with passwords.

If perimeter firewalls are the Maginot Line, then most of us are still in the Sitzkrieg, waiting for the killer app or killer business change that’s going to fly over or roll around the perimeter firewall like it’s not even there.

Did you laugh the first time you heard HTTPs referred to as, “Universal Firewall Bypass Protocol?” If so, then you should realize that the waiting is over, you just haven’t noticed it yet.

The good news is that the frameworks and architectures necessary to move this from users “self-enabling” to something that the company can actually manage are about ready. Most of the “hard” problems seem to be well-enough under control from a technical perspective, meaning it’s time to see what happens at the business layer.

And that where the real fun begins. What are the implications of eroding perimeter controls to the business? What new risks are emerging that are not currently being identified, measured and managed as a result? What opportunities are also emerging, and what are the tradeoffs between the two going to look like?

Consider the outsourcing arrangements this makes possible if you can now offer technical controls to (you think) adequately protect your data in an outsourced environment. But how do you either make sure that your lowest-cost provider isn’t going to re-outsource your work to someone else in turn or manage the increase in risk incumbent in doing so? How much of a premium are you willing to pay the outsourcer for that extra restriction? How much should you be willing to pay?

Deperimeterization is increasing volatility in the business world. Businesses need to decide how they’re going to manage the increased risk that comes with it. Will they attempt to mitigate the risk and put the genie back in the bottle? That may work for a while, but only until someone else accepts it, takes bet and wins. At that point, those who chose mitigation are no longer competitive and it’s game over for them. Now that is truely “Security as an Enabler.”

What a great time to be in the Information Risk Management business.

This is the 100th post in my Risk Management category. As I’ve been working on it, this post has turned into sort of a link-o-licious Greatest Hits Show for this blog.

First things first, don’t talk about Security, talk about Risk. All the cool kids are doing it, even if Technorati tags about 200 posts per day as security, compared to one or two Risk Management posts per day. Be sure that whatever you’re proposing can answer these three questions. If you can’t do that, you don’t have a business justification for whatever you’re trying to do and you should wait until you do.

Assuming you made it past that hurdle, it’s time to explain why it matters. Here are three models I have used successfully to sell the need for security effort or expenditure within an organization. Your mileage will vary, of course, and none of them are without pitfalls, but they will probably help overcome Blank Page Syndrome if you’re looking at a blank slide template wondering where to start.

1) Wealth Model - The more security “Wealth” people think they have, the less interested they are in gaining more. The less they have, the more interested they are in gaining more. And if you ever take it away people’s security wealth by pointing out how out-of-line their perception is with reality, they will hate you if you don’t have a solution ready for them.

I discussed this approach previously, so read the detail there.

The Wealth approach also requires that the business understand how basic Risk Management concepts apply to information security. The first steps to Risk Management is understanding that all security needs are not created equal, and that countermeasures only work if they solve a problem the business has. This is also a good time to make sure that the proposed effort isn’t going to turn into a Big Ball of Duct Tape or a sand castle.

2) Decay Model - “Security measures must be maintained or their effectiveness will decay over time.”

This might also be described as either, “The reward for hard work is more hard work,” or the, “Remember how bad problem x used to be? Well it will be again if you don’t…” approach. This works best to explain the need for ongoing Security Operations expenditures like Anti-Virus and Monitoring.

The Decay Model also aligns well with compliance efforts, which are generally recurring adventures in making reality match the paperwork. Present your effort as

It is also somewhat analogous to the Hamster Wheel of Pain approach to security. You do things only to discover at the end of the effort how much more you have to do, usually by buying more security products.

While I’ve never been a huge fan of this approach, personally, I know people who are. My main gripe is that I feel like it ignores the constantly-changing nature of security. I’ve found that this model works well for justifying the inclusion of security into non-security processes, however.

While new threats emerge all the time, well thought out, consistently applied controls and countermeasures will largely mitigate even the unforseen threats. If you’re trying to convince people that cultural or procedural changes are needed to protect the organization, rather than just its servers and workstations, this is a good angle to highlight.

Once again, though, be careful to avoid building a sand castle.

3) Inflation Model - “The value of a countermeasure just isn’t what it once was.”

In the Real World, old things like gasoline or movie tickets get more expensive and new costs like cell phones arise.

In the wider world of IT in general, the number of servers and applications keeps rising. The cost and complexity of the technologies required to run a modern business try to rise. The amount of data being stored, and the cost of securing that data, also keeps rising. Why wouldn’t the costs of securing all that stuff keep rising as well?

This is also true in the Security World. Other than commoditization of specific products like anti-virus, security isn’t getting any cheaper. New threats continue to arise, which in turn require new countermeasures, none of which are free. Keeping up with all these systems now requires Security Event Management (SEM) systems to aggregate and report on it all, and SEM’s aren’t free either.

There are now so many applications within the average enterprise that an Identity & Access Management solution is needed just to keep track of who has access to what with enough accuracy to satisfy, say, the account management standards within the IT Control Objectives of SoX.

This approach plays well in a negotiation process. Just ask which current piece of the countermeasure puzzle the business thinks they can live without in order to fit the new one in. Then either be prepared to lose that piece or explain what risks will have to be accepted if they get rid of it. If the business picks something they really can live without, be ready to ditch the countermeasure. It will gain you credibility and solve the problem at the same time.

(I was hesitant to include this last one until Mish pointed out how many different ways the term inflation is used. This pretty much guarantees that I will be both right and wrong, depending on who you ask.)

These are far from the only way to justify security spending. Much of that work isn’t even done formally. The key, really, is to get friendly with the business’ decision-makers. There are areas where they would love to have some help, but if they can’t accept the risk, they have to ignore it until there is a reasonable mitigation option on the table. These sorts of discussions can really only occur outside of any formal channel, though, so if you don’t have an informal channel with those people, opportunities will be missed and risk ignored unnecessarily.

—————–

Finally, I’d like to say thanks to everyone who’s been reading (and especially commenting!) through my first hundred Risk Management posts. Hopefully you’ll still find me worth reading for the next hundred and beyond.

In the current Alarmed column at CSO Magazine, Scott Berinato accuses the Information Security profession of failing to protect Corporate Management from themselves, calling it our “Waterloo” and, “the overwhelming defeat of security.”

Companies not only have failed to secure personal data, they can’t secure personal data. The range of technologies available today is in fact incapable of producing an acceptable level of security. The IT infrastructure that business runs on is so flawed, technically and socially, that nothing, no number of security products, can be slapped on post facto to secure personal data.

I agree with him here. It was an “overwhelming defeat of security.” But if he wants to pick a battle, I am still hopeful that it will turn out to be Security’s Battle of Dunkirk.
(more…)

When I looked for the tag, “Security” over at technorati, 1,902 posts from 417 blogs match this tag. When I looked for the tag “Risk Management,” only 33 posts from 8 blogs match this tag (the tag “Risk” by itself produces a bunch of boardgame fans).

I think this merits some consideration, since it says to me that the vast majority of thinking about “security” is occurring in a vacuum. People who talk about”upgrading from IDS to IPS,” may be trying to secure their networks, but they’re not managing risk. And if they’re not managing risk, then they’re just playing with geek toys. The fact that it might make the environment safer is just a lucky side-effect.

The standard defense is, “Because it’s more secure!” I know since I’ve used it myself. Occasionally it was because I knew that the person with whom I was having the discussion couldn’t or wouldn’t understand my reasoning or there was a lot of technical nuance involved, but sometimes because I just “felt” that something was right, even if I couldn’t justify it.

In the modern corporate world, however, feeling that something will make a difference is not enough–it’s enough to serve as a starting point to real Risk Analysis, but it’s not a justification in and of itself. Somewhere, a security vendor’s salesperson is taking me off their Christmas card lists right now, but that’s the price I pay for speaking the truth ;-), which is, More security is not necessarily better.
(more…)

Think about how many laptops, smart phones, blackberries, PDA’s, flash drives, usb drives, cd burners, VPN connections, extranet connections, wireless Access Points (rogue or legitimate), modem lines, and various and sundry other things I’ve missed are inside the firewall, penetrate the firewall on a regular basis, or spend some time inside the firewall and some time who-knows-where. Finally, pile on the services people are accessing on the Web, via FTP, or whatever protocols are allowed through the firewall.

What does this mean? Network Security is no longer enough. If a user controls a resource, then it has to be assumed to be hostile, since either the user or the malware it’s probably picked up on its travels around the networked world. Even if the firewall is working, people keep taking them home at night, on trips, or elsewhere that Bad Things Happen.

I’ll provide some anecdotal examples just in case you think the situation doesn’t apply to your network. (more…)

I spent three days last week in the 2005 Planning Meeting for my team (Architecture, Strategy and Governence). As you may have already guessed, I’m part of the Information Security team here. As we talked, I was struck by several fundamental changes taking place in Information Security. Some have already occurred but are still largely unrecognized. Others are coming and if we’re not ready, then the Incident Response guys are going to be staying busy for a long time to come.

Thus, I’ve created this category (”New Rules of Information Security”) to hold a series of essays, which I hope to continue and expand upon as insight permits.