Thursday, January 26, 2012

Is Network Security an Oxymoron?

As recent events have clearly demonstrated, no matter how highly-defended a network is, someone will find a way to penetrate it. If RSA and Symantec can’t keep intruders out, and APTs (an euphemism for Chinese-sponsored attacks?) continue to plague public, private, and government systems, what hope is there?

Remember PPT—people, process, and technology? We can throw technology at the problem and achieve middling success. If we are eternally vigilant and paranoid, we may realize great success. But what about people and process?

Despite comprehensive signed policies and awareness training, users still click on email attachments or embedded links, and willingly provide their user IDs and passwords to people calling from tech support. And this is without the burgeoning BYOD and BYOT problem. Who know what users are introducing to the network when they connect their USB drives, tablets, and smartphones to their desktops?

What’s the solution? Jim Tiller, now Head of Professional Services, Americas at HP Enterprise Security, suggests that regulations and compliance, and now insurance, are trying to do what PPT couldn’t. He thinks that government has accepted that because we have been doing hasn’t worked, then increasing the regulatory burden will. So, has network defense become notification and remediation once an organization has become compliant? Yes, it’s a loaded question.

Under this scenario, security becomes strictly a cost/benefit analysis. If the cost of an intrusion is, say, $1 million to cover notification and remediation, and the cost of preventing the intrusion is $1.5 million, then an organization would decide to accept the risk of an intrusion rather than take actions to prevent it. And now that an organization can obtain insurance, the insurers will determine the risk, instead of using the standard infosec risk formulas.

Assuming the organization was compliant with all regulations, then it’s done all it’s required to do to protect its network and information. It no longer has to compete in an ever escalating arms race against hackers of all ilks, from privately to government sponsored.

Of course, an enterprise could simply disconnect critical systems and employees from the Internet, which would prevent intrusions from the outside, but do little against insider threats. (It still amazes me that SCADA and other ICS are Internet-facing, and that things will inevitably get worse as M2M and the Internet of Things creates more points to attack.) As Jim concludes, efforts to protect and defend networks won’t go away, but response may well take precedence.