Information Security: The End Of The Wild West
[ Aug 2, 2006 ]
If you’re an
information security
>
administrator/analyst with average skills and little interest in the field,
your days are numbered.
Contrary to what many believe, the field of information security won’t
always be like this, i.e. an open, festering wound. I know that’s
blasphemous to say — especially coming from a security guy — but it’s true.
The only reason so many low to mid-level security professionals have jobs
today is because absolutely no security considerations were made when the
Internet (and the systems that connect to it) was first built.
Unfortunately, we’re still using that same first-generation technology
today, and that’s why we’re up to our necks in trashware. Once that changes,
however, the endless job postings for the average security pro will come to
an abrupt end.
Waiting Disaster
Information Technology today is like a high-rise construction site with
nothing but wet cardboard for building materials. For nails and bolts we use
bundles of rotten toothpicks tied together with some twine. We then proceed
to erect these massive skyscrapers and then wonder why they topple so easily
in the wind and rain.
Though most will tell you otherwise, it’s not because the wind and rain are
unstoppable forces. It’s not as if buildings can’t be made that won’t stand
up to the elements. No, the problem is in the building materials and
schematics — not the wind and rain.
Analogies aside, systems today are so poorly put together that my
fascination with penetration testing has been severely damaged. I still get
a short rush when I break into a Unix or Windows system and get root/admin,
but it’s immediately squashed by a voice that says, “Great, someone left the
door wide open and you walked through it. So what? You didn’t even find the
door yourself.”
Nice. Now the poor kid’s sitting there with a skinned knee. What now? Throw
your arms up in triumph? I think not. It was just a little kid. The
only person who deserves any credit is the guy who tipped you off in the
first place, i.e. the researcher who found the hole.
The Building Blocks Of Failure
It’s not hard to map out what has lead to cracking being so easy. Listed
below are just a few of the factors that make breaking into today’s systems
more like fighting with children than breaking through fortified defenses:
-
The Internet Was Designed For A Few Academics, Not People In
GeneralThe initial designers simply didn’t plan on mass adoption, not by any
stretch. They didn’t factor in any security because they didn’t think
anyone malicious would ever use it. It’s that simple. It’s not that they
couldn’t add security — they didn’t even try. -
Microsoft Windows Is The Most Prolific OS Out There, And Its Security
Has Been HorribleThis isn’t about bashing Microsoft, it’s just true. They just became so
successful that every one of their major flaws became the world’s
problem. Again, just as the designers of the Internet, it all comes down
to the benign mistake of designing for functionality rather than
security. Once the default configuration of Windows and the other
high-utilization Operating Systems starts incorporating decent security
the whole landscape will change dramatically. -
The C Programming Language Is Dangerous, And It’s Still Being Used
ExtensivelyThe problem with C isn’t that it’s a bad language, it’s that it’s
dangerous for those who aren’t both skilled and really careful. We’ve
all heard the foot shooting jokes and those exist for a reason. Having a
language/IDE pair that provided pseudo-intelligent security checking
before compile time would go a very long way toward stopping buffer
overflows. Think of the IDE automatically adding bounds checks for copy
functions, or better yet — standardized use of a languages that doesn’t
allow you to make the mistake at all. -
System Architecture Allows Buffer Overflows By DefaultThe vanilla
computer system of today and yesterday essentially has tragedy built
right in. You stuff too much into its small container and the computer
scoops up the extra, takes it to the brain, and says, “Run this.” This
is comically insane, and it could have been done a million other ways.
The only reason we still have this problem is that we’re still stuck
doing things the way they were done on the very first computers. As in,
the computers from the 70’s and 80’s. Once again, this isn’t our best
effort. It’s our first effort, and one made when the threat wasn’t even
visible.
Get a weekly breakdown of what’s happening in security and tech—and why it matters.
Changeth Cometh
But things are changing. Although most of what’s coming in the immediate
future equates to bandaids rather than redesign, the bandaids will have a
major effect on information security. Specifically, there will be far fewer
successful attacks against IT, and each one will require significantly more
skill. What this’ll do for information security careers is trim them
dramatically. There will be far less patching, fewer malware updates, and
less scrambling to contain outbreaks. In short, there’ll be less grunt work
to do. Here’s why:
-
More Secure Default Configurations:As vendors begin to ship more
secure default configurations things will improve greatly. This is
especially true of the Windows operating system since it’s so
ubiquitous. As a case in point, from a pen-testing standpoint, the
difference between breaking into Windows 2000 Server vs. Windows Server
2003 is massive. 2003 still has a legion of issues, but it’s like a
fortress compared to 2000. -
Enhanced System Architecture:Within a few years it’s going to be
far more difficult to run arbitrary code on systems. There are
various stack protection technologies
>
coming to market now, and before long these types of defenses will be in
the operating systems themselves. -
Protective Programming Environments:IDEs, and even the languages
themselves, will be written specifically to protect the final product
from the programmer. The language won’t allow most things, and what it
does allow the IDE will balk at when done. This won’t eliminate errors,
of course, but the effect will be enormous. -
Security Technology Integration:In addition to more secure
default settings and better overall design, the new security
technologies that we’re seeing today will be as common in future
environments as printers and network cables are today. Technologies like
Host-Based
Intrustion Prevention
>
will be in all operating systems, all network roll-outs will have
Network Access/Admission Control
>
elements, etc. Malware today has free-reign, and it won’t always be that
way. The authors of the excellent Foundstone reading have been quoted
saying that had every system they went against had HIPS technology,
things wouldn’t have gone so well for them.
Why I Could Be Wrong
So within the next 5-10 years things will get dramatically better for IT
Security. When I say dramatically, what I mean is putting an Apache web
server out on the Internet and having it survive for a couple years without
patching. That’s dramatic.
I could be wrong though; it wouldn’t be the first time. Here’s how: just as
information security is in its infancy, so is information technology itself.
And the drive for features will continue to outpace the drive for security,
simply because features are what drive technology.
That being said, it’s quite possible that as technology really takes
off, e.g. personal computers (think current phones) hosting your own private
daemons, full multimedia and display technologies, etc…all these things will
be released at ludicrous speed. And that speed is likely to be much faster
than proper security considerations can keep up. The result of that would be
what we have today — gaping security wounds.
But I don’t think so. I think the framework for development, and most
importantly the building materials themselves, will be so superior that even
shoddy work will yield products that are 99% more secure than what we see
today. Like I said, though — I could be wrong; we just have to wait and see.
Either way, even with the more robust IT infrastructure of the future, there
will always be work for talented and dedicated security professionals.
Stupidity isn’t going away, and misconfiguration is as bad (or worse) than
any architectural or design problem. As such, social engineering and other
advanced attacks will always have a home, no matter how advanced security
technologies become.
Conclusions
Once we do finally invest the time and effort into building new systems —
systems designed with security as a primary consideration — the entire
balance will shift dramatically in favor of infosec. At that point, news of
a major hacking incident that didn’t involve a configuration mistake,
insider attack, or social engineering will be headline news.
Anyway, I wonder what other security professionals think about this
viewpoint, and I encourage you to contact me with your flames, comments, and
questions at will.
[ Aug 2, 2006 ]
Notes
-
This topic has been on my mind for a number of years now, and I tried
(mostly unsuccessfully) to argue the same point in this paper which I
submitted as my SANS GSEC practical a while back. It was called,
“Jousting From Unicycles: Addressing Design Rather Than Adding Armor”.
Source link