An interesting aspect of human behavior is the tendency to fear, sometimes irrationally, the unknown, the unthinkable, and the uncontrollable vs. the limited fear of threats we understand or control, for example the classic fear of flying vs. driving, with the latter causing a significantly higher casualty and death rate than the former. Schneir and others in the security industry, and out, have observed this repeated in they way we respond to and analyze threats, and how we implement controls. Physical and detective controls in response to the terrorist attacks of 9/11, the attempted shoe-bombing and liquid explosive plot uncovered in London have largely driven the TSA to implement greater scrutiny of passenger materials, especially those of a gel or liquid consistency or shoes, even flip-flops. Whether this has deterred attacks is debatable, but what is clear is the agility of malicious actors to bypass traditional controls by changing patterns of behavior. Once a pattern can be determined the terrorist can bypass the controls. It is clear taking liquid explosives onto a plane is difficult, so why not solids, like blocks of cheese. It is clear that airport security is tight, so why not attack a train. In Scotland they have implemented controls that only allow certain vehicles into certain areas, yet a jeep Cherokee filled with fuel was able to bypass the control by following in another vehicle and this resulted in a fireball at the doorstep of Glasgow airport. This is all scary stuff, but the average person is far more likely to die in an auto-accident, be a victim of random street crime, or have their lives turned upside down due to human error, yet we fear and demand security against the unknown, uncontrollable and accept the known as part of life.
Security must be agile, we must be able to quickly adapt to changing threats and we have to be careful to balance security of the unknown vs. securing against the known. Zero-days are scary, yet they are relatively infrequent compared to the thousands of known vulnerabilities organizations face annually, we certainly need to adapt to zero-day threats, but we can’t do this at the loss of security against the more frequent but less exotic MSFT or browser vulns. What’s scary is that most organizations, even after years of dealing with vulnerabilities, still have not implemented effective vulnerability management programs (here), (here), and (here)
As I am attending BlackHat/Defcon I am on the lookout for fear, irrational and rational, claims of 100% undetectable hypervisor rootkits will be tempered with detection mechanisms, making them nigh-undetectable or very detectable – who knows, but it sure is scary to think about a 100% undetectable anything, compared to some random data leakage due to a stolen/lost laptop, or some user downloading porn or stealing music and creating a backdoor for major ownage – but guess which ones are more likely to affect your environment and which ones you really need to implement controls against today