Oct 11 2009

Still no simple solutions in security

Published by at 7:38 am under PCI,Risk,Simple Security

Richard Bejtlich had to take a couple of minutes yesterday to rant about someone who posted in a forum that we just need to protect the data.  Don’t we wish it was that simple?  Which form of the data is it we’re trying to protect?  At rest, in motion, encrypted, unencrypted, printed out, on your screen, at the POS, on the server, in the database, in the client/customer’s hands etc. etc. ad nauseum.  The basic thought from the original commenter was that if we just protect the data itself, none of what’s going on in our network should matter, since the data itself is safe.  But as Richard points out, it’s impossible to separate the data from the servers and networks that it exists on, and therefore ‘protecting the data’ just isn’t enough. 

Let’s use Heartland Payment Systems as an example: a piece of code on the servers that were processing the cardholder data was compromised and the data was being stolen in the brief time between when it was received over a secure connection and when it was encrypted.  Simply protecting the data fails here.  There’s no iteration of protect the data that could have possibly worked here.  The data had to be in an unencrypted state for a brief time; it was impossible for it to go from the encryption of SSL to another form without existing in an unencrypted form during the process at some point.  Which is why the simple maxim of protecting the data itself is always going to break down at some point; in order to be usable, the data is always going to have to be in a vulnerable, unencrypted state at some point.  Which is why we will always have the concept of defense in depth in security and why we need overlapping security controls that cover for each other’s weak points.

There’s no one true way to data security.  Ask the physical security guys who have centuries of history and lessons to draw from.  Every security measure has it’s weakness that will be exploited at some time, no matter how small.  There aren’t simple ‘just do X’ answers in our chosen profession, it’s always going to be about making trade-offs between security, usability and resources.  Some security philosophies work better than others, but just like security measures themselves, we have to embrace a set of overlapping security philosophies just like we have to have overlapping security measures.  Otherwise we’re just fooling ourselves and leaving blind spots for the enemy to exploit.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

6 Responses to “Still no simple solutions in security”

  1. Khürt L Williamson 11 Oct 2009 at 11:19 am

    I agree about having a set of overlapping security philosophies. But I think the focus has long been to infrastructure focused. The approach taken to security in the past has been to protect the infrastructure as though that it was the only valuable bit. If you take the approach that my “magic soda formula” is valuable then the infrastructure will be built to protect that. The approach I see today is more network crap on top of more/better access and authorization crap.

    Seats belts, air bags, anti-lock brakes, traction control, crumple zones, guard rails, and the road surface are all designed to minimize risks to the valuable contents of the cars. None of it is designed to protect itself.

  2. Ron Lepofskyon 11 Oct 2009 at 3:15 pm

    Response to Still no simple solutions in Security:
    Khurt: Agreed that protecting all states of data is difficult. Perhaps a better result would be achieved by better managing authentication; specifically all aspects of identity management.

    In our experience, many companies, even medium sized, with only a few hundred employees, do not rigorously implement the basics in privilege management. I suggest all companies, with special emphasis on electronic transaction processors, create, implement, and rigorously enforce the management of users, privileges, and separation of duties in order to enforce appropriate privileges.

    Particular attention needs to be paid to third party users and their privileges. Two roles should be created in order to achieve success with this process: one individual to create/delete/monitor user names and privileges in a very timely basis, including auto deletion based upon pre-determined times; one individual or group with sufficient separation of duties to impartially verify the process.

    Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

  3. Martinon 11 Oct 2009 at 4:24 pm


    Part of the reason we have ‘network crap’ is because we’ve done such a bad job of clearly defining the tools we want to use to protect the network and just accepted what the vendors have fed us. But to your “magic soda formula” point, too often we as security professionals don’t even know what pieces of information are that formula and what’s just data.

    One of the things I love about being a QSA is that I get to see so many systems and experience the drek as well as the gold nuggets. The people I’ve seen who are most successful acknowledge that the data is what they’re trying to protect and build the network around it to be as secure as possible. The ones who are least successful are the ones who throw a bunch of tools at the data hoping one of them will catch a bad guy if he shows up.

    Richard is well known for his ideas on exfiltration. He concentrates on what’s leaving the network. He does a very good job of it, but he’d be the very first to admit that his expertise is just one more layer of protection. What’s got him (and me, to a lesser degree) up in arms is the thought that we can ignore those network protections and “just protect the data”. The two are intertwined and will continue to be.


  4. Rob Lewison 12 Oct 2009 at 3:48 pm

    Hi Martin;

    When you say;

    “There’s no iteration of protect the data that could have possibly worked here. ….in order to be usable, the data is always going to have to be in a vulnerable, unencrypted state at some point”

    I would like to provide you with information for future consideration.

    Trustifier technology provides file level access control by digital separation of access privileges by authorized users at the OS kernel level.

    As you say, much data escapes the enterprise, either accidentally or intentionally, when it is in its unencrypted clear-text state being manipulated by the user with access. Trustifier enforces the rules that govern what can and cannot be done by the user, to any data, protecting sensitive information from either internal or external abuse, even in an unencrypted state.

    Trustifier’s additional controls allow it to be viewed as a protector of data in use, and as such, another layer of protection, and a much needed one according to your quote.

    There is also a good chance that with its mandatory access controls and sub-app level monitoring, Trustifier could have prevented Heartland from its breach in one of two ways. Depending on the attack plane of the malware and systems involved, the malware may have been prevented from owning the server(s) in the first place, due to its mandatory access controls and whitelist functionality at the system call level. The malware’s attempt to load itself may have been denied. Alternatively, by creating least privilege access rules (as Ron Lepofsky suggests) that are based on the business operational rules, the malware would have not been allowed to execute and send its payload home, if it was violating a business rule (which it obviously was).


    I think a better picture to paint is one of networks comprised of inherently secure computers as opposed to networks full of inherently insecure ones. Then one might have to deal with less network crap.

  5. Donald Johnstonon 07 Mar 2010 at 6:36 pm

    I really like the question you raised about “Which form of the data is it we’re trying to protect?”. This really points out the need for “security in depth” which to me translates to the concept of “Information Security” … and by that I definitely don’t mean “we just need to protect the data”. We need to remember that information exists on paper, in microform, in our heads, and on technology (at rest and in motion) so if our security isn’t looking at how to protect all of this then we don’t have the security in depth we need.

    The security safeguards that we can put in place can be administrative, physical, or logical … (I use the acronym APL to help me remember this … like the old programming language!!).

    Administrative – policy, standards, guidelines, process and procedures with training and awareness (the people part of security);
    Physical – facilities, locks, secure areas, badge readers, guards;
    Logical – the technology, electronic systems, computers, USB sticks, networks.

    I’ve always felt that the best way to IT Security is through Information Security; you (the techies) are forced to understand the business needs and then IT isn’t viewed as “forcing security down our throats”.

  6. […] this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If […]

%d bloggers like this: