The 11 Worst Ideas in Security

Now of course it would be easy to slap the hide of NAC, IDS, and DLP technologies, but why kick something when it is down, besides we have Stiennon for that (here)…so I give you the 11 worst ideas in security, presented in far less a grumpy format than Ranum’s 6 dumbest ideas in security (here), and of course I kicked it up to 11…

11. Security Industry and Market Analysts (I am become analyst, the destroyer of markets)

Those bastions of knowledge, defenders of the objective faith, and creators of 2-page, in depth, market analysis reports. They don’t actually analyze security they analyze the security market, they say cool things like “By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.” and come up with amusing names and acronyms, (did you know that NBA – Network Behavior Analysis – was at one time called NADS – Network Anomaly Detection System – you can imagine the fun Gartner could of had with an overview of the NADS market). I spent years as an analyst myself and I loved my time, but I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.

10. Microsoft CPAV (Central Point Anti-Virus – when turning it up to 11 is 10 too many)

Many of you may not remember that Microsoft used to ship an integrated AV product – CPAV (Central Point Anti Virus) CPAV = total suckage. It was a simpler time, malware consisted of threats like the stoned virus (infect the computer, make it look droopy and display a “your computers stoned” message) and you really didn’t need quality, but you did need something that didn’t completely impact user productivity, suck all the computing resources, and disrupt other services – ah the good old days.

9. The Vulnerability market (what can I get for $.63?)

What happens if you create a market and no one buys? Nothing, but a whole lot of complaining from a whole lot of grumpy researchers about how no one takes security seriously and what a thankless job it is to break someone else’s software and then not be showered with accolades when you present them with the data that their software is broken.

8. Scan and Patch (The never ending hamster wheel of late nights and working weekends)

The security group will scan the environment against a database of known vulnerabilities and then harass, scare and guilt-trip the operations team into actually fixing something – it is also referred to by Philip Roth as the Jewish Mother process. This never-ending, reactionary, ad-hoc, false-positive laden, non-environmentally aware, slow, cumbersome, disruptive, snapshot in time approach equals = effectiveness fail. I have written about this before (here)

7. PKI (Easy to deploy, manage, and administer – oh, wait, whoops, never mind)

Quick Story: When I was with McAfee we acquired PGP, as part of the acquisition the McAfee IT department attempted to roll-put PGP encryption. It was a total fail. It was never properly deployed and the IT folks just gave up and moved on to some other important project, like getting their hands on some cool network sniffers. At the time I thought Wow we own this crap and can’t deploy it, how the hell will the people we sell it to – it would require like a ton of bureaucracy and an army of civil servants to be successful, and this is why the federal government loves PKI.

6. Security Through Obscurity (These are not gur qebvqf lbh are looking for – guess how I cryptoed that)

Frphevgl guebhtu bofphevgl qbrfa’g jbex…crbcyr jvyy nethr gung vs lbh anzr lbhe FFVQ fbzrguvat yvxr AFN Abqr, ab bar jvyy oernx va – OF, be vs lbh pnyy lbh Jvaqbjf obk SerrOFQ, be qvfnoyr inevbhf UGGC cbfg erfcbafrf gung lbh ner fnsr – jebat, lbh’er whfg na vqvbg =)

5. WEP (French encryption – it surrenders in minutes)

What is worse than no security? ineffective security that doesn’t work – WEP is like putting up an aluminum foil door and pretending that no one can break through it – far better to just not have a door and know it – really not a lot more to add.

4. Signature-based AV (Design fail – only works if there is parity between sigs and viruses)

Signature based AV isn’t protecting anyone anymore (here), it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently. It didn’t stop blaster, or sasser, or slammer, it did nothing to help choicepoint, or the VA or the orgy of disclosure we have all become numb too. It was running happily along, updated and content on my mom’s machine when it turns out her Windows XP box was infected with some pretty nasty bits. The real problem though is the sheer volume of malware that one needs to create a signature against – and wha does one do with a 5 million signature dat file – no wonder every time Symantec runs an application dies

3. The Vulnerability Disclosure Debate (good, bad, good, bad – who gives a crap)

There was a time when I had some passion for htis topic, right or wrong I had an opinion and was looking for responsible disclosure (here). I have come to realize that a. It really doesn’t matter and b. those with malicious intent are far less concerned with silly disclosure debates than those fighting the good fight. The vulnerability disclosure debate is the security’s equivalent of Britney Spears – no matter how bad it gets, you can’t help but be curious.

2. Passwords (2Chr177xh0ff)

Passwords suck (here), they are cumbersome, difficult to manage, prone to attack and require continuous care and feeding – they also aren’t terribly effective, but they are the best we can do with what we have, so remember choose wisely and don’t feel like less than a man simply because you have to use a password manager, everybody needs a little assistance now and again.

1. Security Vendors and the VC’s that love them (The root of all security evil)

The goal of the security industry is not to secure, the goal of the security industry is to make money. I think we all know this conceptually, and even with the best intentions in our capitalistic society we must understand that security companies are motivated by profits. This isn’t necessarily a  bad thing, but it should help to dispel the myth that security companies are smarter than hackers, they aren’t, they are just  smarter than the buyers – from (here)

22 thoughts on “The 11 Worst Ideas in Security

  1. GREAT post! Concise and spoken like a person that actually has to deal with the mess vendors and analysts make when they get 5 minutes alone with the CIO. We need to bring common sense back to security (if it was ever there to begin with) and thinking like this is a great way to spread the message. Thanks!

  2. Thanks Dan,

    Analysts are a technology tax, and vendors are the carnival barkers and snake oil salesmen of the new age – oh the joys of being in security these days =)

  3. Thou doth slam the vendors to adroitly Amrit. Without delving into commerce, Adam Smith, Von Hayak, the Chicago school, etc. just what do you think vendors are supposed to be motivated by? Fixing the Microsoft created system of vulnerable machines we have out of the goodness of their hearts?

    Every new security vendor starts with a bright idea from a bright inventor. He (or she) goes “wow, this is a problem, I think I can fix it”. But why should that person quit their job, get others to join him, do some hard work, and introduce a product if not to make some money?

    The only reason we have functioning networks, servers, desktops, and cell phones today is because of the products maintained by those security vendors you are so ready to slam.

    A vendor might be able to sell a couple bad products but it would not be raking in profits if its products did not solve some problem for its customers. The very existence of successful vendors attests to their value. The littered road side of failed security vendors attests to the reward for failure.

  4. @Stiennon

    Give me a break dude – I am well aware of the economic influence on innovation, but I am also acutely aware of the negatives as well.

    Also the presence of profits does not mean that te product is good, nor the company devoid of malice – Enron anyone, the 1980’s Hyundai – how about Symantec ESM pre-version 5.5? Anything that Cisco sells will gain 30-40% market share simply because they can bundle it in – doesn’t mean the product is valuable – so no the success of a vendor does not mean the product is good, it could mean that they have excellent marketing, a gtreat channel program, exploitable market conditions, perhaps a dynamic of FUD – remember 2004 compliance drivers, how about worm attacks just before that, DDoS attacks, all these drove profit for many companies but in the end the products were crap and the market corrected – unfortunately in the meantime the average IT person was slapped silly with hype cycles, MQ, waves, and other ridiculous views of the time that forced one to think – yes I do need an IPS, some NAC, an anti-spyware solution because some ex-Gartner dude told me to buy it 😉

    Btw – It is interesting that in the US we think that money is the only motivator, if that were the case there would be no doctors, lawyers, teachers, scientists, or innovation in countries that do not practice commercialism or a free-market economy. Sure Russian scientists were awarded a certain amount of freedom compared to say a Gulag torturer, but the pursuit of truth, innovation, and solving a significant problem is not only driven by money.

    OK, now let me turn this around and say that money can inhibit innovation – large companies, especially security companies, do not really innovate – it is too costly to the bottom line, so they wait from some small start-ups to address a new problem, then start to acquire them for pennies on the dollar

  5. Pingback: TechBuddha - Why We Pay Attention To Amerit Williams

  6. I think Ranum’s article addressed to a great degree the historic omission of security from information systems design that gives rise to the information systems security problems we are experiencing in today’s networked world.

    Your list is an interesting snapshot of the shambles that has evolved due to that fact.

    I find it quite interesting to look on the number of “poseurs” (more french) that present the same security model re-inventing itself over and over (more Ranum), as something of value to customers.

    This pattern is what is repeated with start-ups addressing new problems, money or not. Why are they not focusing on the oldest problem? The security industry is simply incapable of innovation because they have chosen a path that is incable of success.

  7. Pingback: Happy Two-Year Anniversary | tssci security

  8. Pingback: Network Security Blog » It’s a bad idea to encourage Amrit

  9. Pingback: What we’re reading, week of 8/25 « VPN Haus

  10. 6. Security Through Obscurity:

    Nice use of Caesarian cipher!

    6. Security Through Obscurity (These are not the droids you are looking for – guess how I cryptoed that)

    Security through obscurity doesn’t work…people will argue that if you name your SSID something like NSA Node, no one will break in – BS, or if you call you Windows box FreeBSD, or disable various HTTP post responses tht you are safe – wrong, you’re just an idiot =)

  11. I can see where you’re coming from with commercial motivation for profit seeking companies like Symantec or McAfee, but what about the Open Source movement? Surely not everyone involved with these projects are manipulating the market place to further their own endeavors. Some people are actually crusaders for the common good, albeit few and far between.

  12. Passwords may suck, but like democracy, they’re currently better than any of the other alternatives. Compromised SSH key files have resulted in the loss of integrity of vital RedHat servers recently, and there is no alternative technology that is both widely deployed and very-low-cost.

  13. Hey Angus,

    Agree there is currently no widely applicable, viable and cost effective solution, but the lack of an alternative does not negate the suckiness of the present solution

  14. Hey SecurePuter,

    There are also those who work in commercial software that are crusaders for the common good, like with most things there is many shades of gray between the black and white and peoples motivation is a huge area of gray.

  15. Pingback: The 7 Greatest Ideas in Security « Amrit Williams Blog

  16. 6.Security Through Obscurity

    Would people easily identify that encryption or would you have to send it through random decryption software, I am Novice

  17. @Humble

    Rot 13

    ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple substitution cipher used in online forums as a means of hiding spoilers, punchlines, puzzle solutions, and offensive materials from the casual glance.

    ROT13 has been described as the “Usenet equivalent of a magazine printing the answer to a quiz upside down”.[1] ROT13 is a variation of the Caesar cipher, developed in ancient Rome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s