NEW YORK — Current enterprise security practice is governed by myths rather than actual data, by reflex instead of logical processes, said Verizon Business’ Dr. Peter Tippett, founder of ISCA Labs, which is now part of the company’s Cybertrust division.
He spoke to an audience composed mostly of members of the military and of security research organizations at educational institutions at the Cyber Infrastructure Protection ’09 (CIP 09) conference at the City University of New York (CUNY). (In part 1, Tipplet discussed how network managers who know their network can block most attacks.)
“I think there’s no science in Information Science,” he said. “It’s mostly engineering.”
He said that the experience of the aviation industry shows that science can do more for safety than engineering.
He claimed that air travel is 5,000 times safer than it was 50 years ago. “People assume that’s because we’re flying 737s instead of DC-3s, but there are DC-3s in use today and they are 500 times safer.”
He said that accumulated data rather than technological innovation has been crucial to safety. “Technology has improved safety 10 times, and processes have improved it 500 times. People still die if the plane flies into a mountain, but we surround the process of flying with hundreds of things that make it less likely that the plane will fly into a mountain.”
With the publication of the Verizon Business Data Breach Investigations Report detailing actual investigations into 90 security breaches, Tippett argued that he has data that can be applied to the discipline of enterprise security to make it safer.
“The NTSB investigates crashes and we investigate breaches,” he said. “We investigate 30 percent of all the breaches discussed on forums like AntiOnline.”
Passwords are a case in point, he said. “While a longer password may protect a single computer better, it is not better on a network. If you only get to guess the password three times before you’re locked out then the hacker won’t even guess what college football team you’re using for your password.”
He added that in a network of 10,000 computers, a hacker could guess 80 percent of five character password in the first hour or two, compared to 20 to 30 percent of nine character passwords.
“Is your network better off if 2,000 computers are compromised instead of 8,000?” he asked.
Patching Is Never Urgent
He attack another security tenet: the concept that patching must be immediate and is always urgent because machines exposed to vulnerabilities will be attacked. He noted that patching schemes prioritize critical flaws, which allow an attacker to take over a machine, but said that in the cases that Verizon Business investigated, none used zero-day attacks and that in fact only 3 percent of flaws in applications are ever used anywhere.
“Most attacks strike the less critical vulnerabilities rather than the critical vulnerabilities,” he added.
He also noted that while botnets were not involved in placing malware on business networks in the breaches the report covered, some were used to scan networks for vulnerabilities.
“There is no linear improvement to security as you improve the patch rate,” he said. “Many companies go way past the asymptote, spending $10 million each year more than they have to.”
Instead, companies could be focusing on other things that they don’t do well today.
“Here’s something that takes three minutes (or 15 minutes if you’re doing it the first time). Cut and paste your usage log and create an egress filter on your router. It will reduce the likelihood of a successful attack on your business by 80 percent and it’s free. We’ve been saying this for two years and 2 percent of the businesses we talk to are doing it even though it could reduce the chance of an attack five-fold.”
He added that the problem is that security professionals believe that every layer of defense must be perfect, and are unwilling to implement measures that reduce threats by a percentage. “This is not a binary thing. Attacks are analog. A cheap firewall that reduces threats by 50 percent is good,” he said.
Tippett said that many organizations might implement three security measures, each 90 percent effective and each costing $100,000. If the risk is worth $10 million, the first measure, which brings the risk down to $1 million, is well worthwhile. The second measure, which brings the risk down to $100,000, is still worthwhile. But the third measure costs $100,000 and delivers only $90,000 in benefits.
“For the third measure, you may be able to spend $50,000 and get an 80 percent risk reduction instead of 90 percent,” he said.
Control Remote AccessHe said that instead of patching continuously, companies should spend more on controlling remote access. “Many organizations spend over $10 million each year protecting their critical applications but they spend less than $100 each year looking for PCAnywhere where it shouldn’t be. They should spend more on that.”
Another reason why patching failed is that the systems that were compromised were those that were never patched. On average, a patch had been available for two-and-a-half years for vulnerabilities exploited in breaches covered in the report.
“Often, the criminals got to a non-critical system like HVAC. But they didn’t want to turn the heat up and down, they wanted money. So they installed a keylogger and scanner and trojan and infected other systems from there,” said Tippett.
Even the big picture suggests that spending is poorly allocated. “Thieves got 99.9 percent of their data from servers and 0.01 percent from end user systems, but enterprises spend about 50 percent of their security budget on endpoint security,” he said. “They should spend more of it on server security.”
“The cause is a problem I call WIBHI, for Wouldn’t It Be Horrible If,” he said.
He added that it explains laptop encryption. He said that we encrypt laptops not because it will protect them better (passwords are good enough for that) but because we don’t have to report a breach if the laptop was encrypted.
He said that enterprise users have three choices in laptop encryption: file level encryption, which is free; post-boot encryption, which is somewhat expensive; and pre-boot encryption, which increases the boot time of a laptop by almost five minutes and results in blue screens.
Many enterprises use pre-boot encryption because of an attack on post-boot encryption that was demonstrated a year ago. Tippett pointed out that since the attack involves extracting the data from RAM that has been frozen, it is not a common scenario and for most companies (not for his military audience, perhaps), file level encryption should be sufficient and should also make users happier.