Security Theater?
I was recently reading an article in Vanity Fair, http://www.vanityfair.com/culture/features/2011/12/tsa-insanity-201112, which got me thinking... I know I don't usually think.
The article is written by a journalist who is accompanying Bruce Schneier (Security God) through an airport while using a fake boarding pass that he has created under Bruce's instructions. You will have to read to the end to see what happens :)
He begins to question a lot of the security measures that were introduced after 9/11, but his ire is really focused on the Transport Security Administration (TSA, responsible for the protection of transportation systems in the US).
From the article:
“Since 9/11 the US has spent $1.1 Trillion on Homeland Security…the great bulk of the post-9/11 measures to contain (terror) are little more than what Schneier mocks as “security theater…actions that accomplish nothing but are designed to make the government look like it is on the job."
This notion of security as theatre reminds me a lot of IT security, where you have two main types of thinking. The first type: I must be compliant so I will check a lot of boxes without any real regard to the risk. The second: spend vast amount of money on every point product under the sun in the hope that this makes you more secure.
Both of these are quite similar to how Schneier speaks about the TSA. Window dressing at best, with no real regard to the actual risk they are trying to mitigate. “The only useful airport security measures since 9/11,” he says, “were locking and reinforcing the cockpit doors, so terrorists can’t break in..." whereby the risk of terrorists breaking into the cockpit was mitigated!
Now when it comes to Information Security we are very similar to the TSA, addressing the perceived risk while paying no heed to the actual risk. According to Gartner, 90% of security investment is focused on protecting the network, things like IPS, IDS, Network Firewalls etc, while 75% of the actual threats are application based.
This statistic has been proven during 2011. If we take a look back at all the headline attacks last year they all have one thing in common... They were all application-based, something that traditional network-based security missed. So the 90% of the investment has failed to mitigate the risk. This obviously was not always the case, but as the network was made more secure the attacks moved up the stack.
· CitiBank Breach - Parameter Tampering - resulting in credit card info being stolen
· Sega Corp - SQL Injection - 1.3 Million users’ personal details compromised
· Sony - Unpatched Apache server, App DDoS and Brute Force - Personal information of a large number of Sony PNS users
· FBI affiliate Infragard - SQL injection - Email passwords and state secrets compromised
· Malaysian Government - DDOS - sites taken off the air
You get the idea. All these were application attacks. Do you think for a second that any of these companies did not have network firewalls, IDS, IPS? I bet you they did but these network security measures are simply unable to mitigate these attacks. Similarly, DDoS and traditional firewalls do not have the resources to mitigate a modern DDoS attack. It is not about throughput but more about the context of the connection, the number of connections etc.
This is really where an application delivery controller comes into its own. It understands the context of the traffic and what the session should be doing. It sees more than a source and destination IP but knows that a user is at the other end and how that user is interacting with the application. It knows when a special character is permitted but can block them otherwise etc.
I think you get the picture. We need to refocus our efforts against the new and not so new. It’s about the application stupid!
What happens to the journalist with the fake boarding pass? Well, nothing; he walks through security with his 100ml liquids in a plastic bag!
On a side note, Happy Birthday SQL injection, it is 13 years old this year. So this is really nothing new!