Regarded as the "Nostradamus" of IT security, Marcus J. Ranum created the first commercial firewall and has designed groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. In this feature, Ranum discusses the security scandals that weren't.
Thank goodness I'm not a gossip columnist! Those guys have to deal (sort of) with the world as it is, rather than as it should be. Here, I get to decide what should have been news-worthy (but wasn't) or to rewrite history a little bit based upon the impact of tiny little events that everyone overlooked. Better still, I get to point and say "you should overlook that one!" Without further ado, then, here are some of the important stories from 2008:
This was the big non-event that got headlines in 2008. Similar to the great Estonian cyberwar of April, the great Georgian cyberwar proved, once again, that cyberwar pundits are shameless.
The Hot and Not List
What's going to be hot in the next couple of years? Here's my top picks, and what they mean.
Virtualisation is going to change the landscape of... Not much, really. Instead of regular insecure servers, now we'll have virtual arrays of insecure servers. Virtualisation will, however, allow us to realize how much progress we still need to make in automating system administration, and how many organizations are woefully deficient at change control and revision management. Eventually, someone will realize that good system administration equals good server security; can we hope that virtualisation is what will push that breakthrough?
Vulnerability Disclosure Not hot:
I was shocked to see that vulnerability disclosure remains a hot topic for some. It must be that people are still cashing in on finding flaws in commercial software. Or, are they doing us all a really big favour out of the kindness of their hearts? I forget which it is, this year.
Our Runtime Environment Not hot:
Whether you're a Mac, Windows, or Linux user, our runtime environment is crawling with malware and the answer from the vendors appears to be "since no single anti-virus/anti-malware tool works 100%, use several and hope that one gets it." Does that inspire confidence? No? Me either. The battle to preserve control over our runtime continues in 2009 and-based on the past-I can predict another string of defeats. So, 2009 is going to look a lot like 2008. Why? Because we continue to insist on a 'click to run (anything)' environment, and software of abysmal quality. Happy 2009!!!!
A bunch of DDoS (distributed denial of service) attacks, launched by a non-government-affiliated hacker, were able to seriously degrade government websites. Last time I checked, getting slashdotted could do that, too.
Here's a news tidbit for you: it's not a "cyberwar" if it was launched by geeks who live in their parents' basement.
What can we learn from this important experience? This: Denial of service attacks remain a problem, and should be considered if you're running a public website, especially a government.
Secondly, if you're hosting a critical service, it's important to understand where your upstream connectivity comes from. Is any of this new news? Lastly, there is a huge difference between "Nationalist inspired hackers" and agents of a hostile government.
Software security by design
Remaining on my list since 1987, software security remains the "good idea that just works" that everyone is going to try only after everything else fails. Use solid design principles to build our next-generation software? What, are you kidding? The computer security world, and the software industry in general, remains stuck in the land of "penetrate and patch".
There's an old saying about making silk purses out of sow's ears-here's a hint for the industry: start with silk. It vastly more expensive to start with something buggy and mediocre that you attempt to patch into goodness than it is to start with something.
In 2008, several federal agencies (mostly notably, the CIA and FBI) rushed to accuse China of sponsoring cyberattacks against US corporate and government assets.
What was remarkable about these accusations was the dearth of evidence that went along with them. It's not 2001; if you're going to accuse a sovereign power of launching orchestrated attacks, you're going to need a smoking gun or two along with it. Which brings me to the real questions that we should be asking: "Why are your networks still so darned permeable?" and "What do you mean 'you lost 10 terabytes out through your firewall and only just now noticed? Don't you have logs?
Did I mention that there is a huge difference between "Nationalist inspired hackers" and agents of a hostile government?
PCI compliant site gets hacked! PCI is a failure
I've seen several security practitioners point toward FISMA and PCI, and the fact that PCI compliant sites still periodically get hacked-as if that somehow proves something? PCI is a laundry list of security design features that could reasonably be retitled "The credit card industry's list of computer security stuff you should have been doing all along." It's not some magic elixir that, when drunk, is going to protect your networks.
Security practitioners have been saying for decades, "It's just hard work and attention to detail." PCI covers only a few useful details. That said, look an onslaught of the PCI clones. Failure is an orphan but success has many proud parents. PCI has, so far, been the single most important thing to hit information security; there will be a lot more private-labeled standards in the works.
Blip - SCADA - Blip
Software Control and Data Acquisition (SCADA) systems remain a blip that appears on security practitioners' radar screens. One second, it's there, the next, it's not. Yet anyone who's looked at production process/control networks usually comes away shaken and sweating with terror. Yes, we're (still!) hard at work securing our Internet-facing networks but, maybe, if we just throw a firewall between our production networks and our mission critical networks-it'll all be OK. Won't it?
Spyware/malware makes transitive trust a severe problem for "isolated" networks. If your "isolated" network is not 100 percent disconnected from other networks, it's not "isolated." So, that's the list. Does any of it look familiar to you? A lot of it should-these are problems that we security practitioners have been dancing around for decades.