Wednesday, December 28, 2011

Security is about Infrastructure

When I began in computers it was really fun. I was hired as a "boy genius" at IBM Research. We had the best toys. I had my own IBM 650. I was paid to take it apart and put it together again. How great is that? I got to work with Dr. Albert Samuels who was programming the IBM 704 to play checkers. My colleague, Dick Casey, and I programmed the 650 to play Tic-Tac-Toe. We had to use it on third shift but we even had a third of an IBM 705 where we installed the first Autocoder in Poughkeepsie. I drove my transistor radio with a program on the IBM 1401.

That was just the beginning. For fifty years I have had the best toys. I have three PCs and a MacBook Air. I am on my fifth iPhone, and my fourth iPad. I carry my fifty years of collected music and photographs, an encyclopedia, a library, and a dozen movies in my pocket. It just keeps getting better. It is more fun than electric trains.

One of my favorite toys was the IBM Advanced Administrative System, AAS, five IBM 360/65s and a 360/85. It was so much fun that I often forgot to eat or even go home at night. However, on AAS one of my responsibilities was to manage the development of the access control system. It was great fun to do and fun to talk about. Serious people came to White Plains to hear me. I was invited to Paris, Vienna, Amsterdam, London, Helsinki, and Stockholm to talk about my fun and games, about how we provided for the confidentiality, integrity, and availability of our wondrous system.

However, as seems to happen to us all, I grew up, and finally old. My toys, fun, and games became serious. Some place along the way, most of the computers in the world were stitched together into a dense fabric, a network, into a world-wide web. While still entertaining, this fabric had become important. It supports the government, the military, industry, and the economy.

Without any plan or intent, driven mostly by a deflationary spiral in cost and exploding utility, the fabric had become infrastructure, part of the underlying foundation of civilization. It had become peer with water, sewer, energy, finance, transportation, and government. Moreover, it had become THE infrastructure, the one by which all of the others are governed, managed, and operated.

We build infrastructure to a different standard than toys or anything else not infrastructure. Infrastructure must not fall of its own weight. It must not fall under the load of normal use. It must not even fall under easily anticipated abuse and misuse. In order to prevent erroneous or malicious operation, the controls for infrastructure are reserved to the trained operators and from the end users.

No special justification is required for this standard. The Romans built their roads, bridges, and aqueducts, such that. with normal maintenance, they would last a thousand years. And so they have. The Hoover Dam and the Golden Gate Bridge were built to the same standard. With normal maintenance, and in the absence of unanticipated events, they will never fail. (They may be decommissioned but they will not fail.) No one quibbled with Henry Kaiser over the cost or schedule for the dam.

However, our fabric was not driven by design and intent but by economics. No technology in history has fallen in price and grown in power as fast as ours. While we tend to think of it in terms of its state at a point in time. it continues to grow at an exponential rate. Its importance can hardly be appreciated, much less over-stated.

Given the absence of design and intent, it is surprisingly robust and resilient. While not sufficient for all purposes to which we might wish to put it, it is sufficient for most. With some compensating design and intent, it can be made sufficiently robust for any application.

One word on "easily anticipated abuse and misuse." On September 12, 2001, what could be easily anticipated had changed forever.

As security people, we are responsible for the safe behavior, use, content, configuration, and operation of infrastructure. As IT security people, we are responsible for the only international infrastructure, the public networks. As users, we are responsible for not abusing, misusing, or otherwise weakening it.

Note that ours is the only infrastructure that, at least by default, contains weak, compromised, or even hostile components and operators. It is the only one that, by default, has controls intended for the exclusive use of managers and operators right next to those for end users. Our infrastructure also, by default, connects and exposes the controls of other infrastructure to most of our unprivileged users. It is our job to compensate fro and remediate these conditions.

Our roles, responsibilities, privileges, and special knowledge give us significant leverage over, and responsibility for the infrastructure of our civilization. Everything that we do, or fail to do, strengthens or weakens that Infrastructure. That is why we are called professionals and are paid the big bucks.







Thursday, December 15, 2011

Security is about Efficiency

For the first thirty years I was in the computer security business, I often wondered what I was doing. I didn't have a product or a service. I did not have a customer. The computer was so sparse that it was not even important. Was I making a difference?

Part of me really wanted to go back to project management at which I was better than the average bear. The projects might not have made an existential difference but I knew that I had done them well. Satisfying.

Even today, I get discouraged. When I look at health care and see that safety and privacy are being used as an excuse not to automate health records, I get discouraged. When I look at the payment card industry, I get discouraged. When I look at SCADA, I get discouraged.

When I read about on-line banking being used to rip off another small business, non-profit, or municipality I get angry. I get angrier still when the courts and the regulators permit the banks to escape their fundamental responsibility to ensure that all transactions are properly authorized.

I have the good grace, not to say good sense, to be chagrined when I hear that another enterprise has been completely compromised because a user clicked on an obvious bait message, or even an artfully crafted one.

I am sad when I see that High School Harry Hacker has grown into the organized criminal of the day and is being recruited as a spy by governments all over the world. I am shamed when so-called "security researchers" publish exploits for obscure vulnerabilities rather than work-arounds for those that are being actively exploited. I am shamed when rogue hackers identify themselves as "security consultants" and claim that they are just trying to be helpful, just doing what security people do.

I feel a sense of failure when I see that US government security, the best in the world for decades, has all but fallen apart: that it mis-classifies. under vets and supervises, and over-clears. Under these circumstances Wiki-leaks is inevitable. However, Wiki-leaks might be tolerable if it were not typical, if the entire government was not such a large source of leaks of sensitive and personal information.

We security people are probably not unique among professionals for holding ourselves to very high expectations and being disappointed with our results.

In order to keep my perspective, sanity, not to mention my self respect, I have put a post-it on my bathroom mirror. I read it several times a day. It says, "We are not about perfection."

That's right. It is not my job to prevent all leaks and losses. It is not my job to make the world safe for democracy, or even the Internet safe for all applications. It is not my job to prevent all the Seven Deadly Sins, the motives for the things that we do wrong. I am not responsible for every unchecked input, much less preventing all the SQL-injection and buffer over-flow attacks that exploit them.

It is not my fault that the banking industry has consistently and persistently ignored my sage advice to confirm all changes of address to the old address and unusual transactions out-of-band, to change from mag-stripe and PIN to smart-cards, and to use strong authentication.

While I have to advocate that all Internet facing web applications should use the OWASP Enterprise Security API, I am not responsible for most failures to do so. While I am responsible for using every teaching and training hour efficiently, I should not condemn myself for failing to communicate the entire canon in an hour or not rationalizing all media coverage and political thought.

Our job is to make the world work better with us in it than it would be without us. Fortunately we have such leverage that that is not very difficult. While we do not make the world perfect, we make an existential difference.

As security professionals, we are expected to know that some losses are cheaper to tolerate than to prevent, some damage cheaper to repair than resist, that no matter what they think they want, no one really wants perfect security. We are expected to know that the cost of security curve is not linear, that to halve one's risk, one must double one's cost, that the better one's security already is, the less efficient the next dollar spent.

Our job is to ensure that all of the systems, applications, networks, and enterprises in our care get the protection that is appropriate to their sensitivity and the environment in which they operate, and that expensive security measures are reserved only for the targets that require them. Said another way, our job includes avoiding the use of inefficient measures. It is more about efficiency than effectiveness. If we prevent a loss or save the cost of a protective measure, in either case, the impact falls right through to the bottom line of the enterprise, the line called profit, the one that measures enterprise efficiency and contributes to the productivity of the economy.

Our job is to ensure that the sum of the cost of losses and the cost of security is at a minimum. That is impossible to know at any given point in time. It is a balancing act. It is not stable; it moves as the threat changes and the cost of technology falls. It takes both measurement and management to approach it over time. However, that is our job and our opportunity. That is how we make the world work better and justify our existence. If it were easy, they would give it to someone else.

Only when we rationalize our expectations of ourselves, communicate those expectations to our employers and clients, and measure ourselves appropriately against them, will we be satisfied with our jobs, appreciated as professionals, and paid the big bucks.