Subscribe

Why security fails

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 14 Oct 2014
Established security practices need to be rethought, says Rik Ferguson, Trend Micro's global VP of security research.
Established security practices need to be rethought, says Rik Ferguson, Trend Micro's global VP of security research.

A radical rethink of security practices is required to wrest control back from attackers. Although security technology has improved and is proving more capable at anticipating some attacks, criminals are still one step ahead.

Rik Ferguson, global VP of security research at Trend Micro, told ITWeb that major changes are overdue in IT security.

"The biggest obstacle right now is in overturning traditional security practices within the world of business, persuading people that they need to think and design security differently than how they have been doing it for the last 10 years," Ferguson said.

"Traditional security design has always been about assuming that your defences would be successful, based on the goal of keeping all attackers out. Everything needs to be turned on its head. What we should be looking at is designing security based on the assumption that it will fail, on the assumption that I will be breached. Designed so that when someone is in, we make it very difficult for them to leave with what they came for: and that's a whole different architectural approach. It's not about what security you buy and from whom, that is really the last part. The first part is designing the architecture."

Shaken to the core

Faith in security has been shaken by major developments recently, Ferguson notes, such as the Heartbleed SSL vulnerability, the Shellshock bash scripting flaw, the BadUSB attacks on USB controllers, the ongoing identify thefts at major chains like Target, and of course, Edward Snowden's revelations of global Internet surveillance. But these can also be distractions, he points out.

"All the worst-case scenarios are coming true. But, looking back over the 20 years I've been in the technology industry, there are these explosions of activity followed by what you could be forgiven for thinking are fallow periods. It's in those nothing periods when the explosion of innovation is being embedded in everything the bad guys are doing. When it explodes it gets a lot of press - Shellshock! Heartbleed! - then it goes away and you think, oh, we fixed that, that's good. But criminals are now using those innovations in as many interesting ways as they can, and the reason they're not doing anything new is because they don't need to."

The cyclical nature is predictable, he says. "Seven or eight years ago, criminals discovered that if they made a huge volume of malware, that would overcome traditional security, and then the industry had to scramble to try to work out what to do because we'd been rumbled."

Despite this, Ferguson says he feels broadly positive about the state of the industry. The same cycle drives innovation among the good guys, after all. "There is a great deal of innovation on both sides of the fence - criminal and vendor - and there's a lot of great technology out there from a number of vendors right now. The industry grows through those phases - explosion of innovation then consolidation where everyone acquires everyone else. We're going through a consolidation phase right now, where all the niche technologies are becoming embedded [in mainstream products], and it's more likely to be deployed by more people."

Mobile insecurity

Mobile security, in the emerging bring your own device (BYOD) era, also needs a radical rethink, Ferguson says. "For a long time, the big thing was the consumerisation of devices in BYOD: you bring your phone to work and use your own hardware for business purposes. There's a lot of pressure in the other direction now, which is more of a bring your own data than bring your own device. As an employer, I might give you the choice of devices, but only ones which meet security requirements. I'll actively encourage you to use it for personal purposes and you can bring your own data to the device."

That shift will be driven by the realities that partitioning work and personal data on the device is extremely difficult to do, he adds. "How do I maintain the difference between content that's on the device and the stuff that I'm allowed to delete when I do a device wipe? That also presents legislative problems because within the UK and most of Europe, if I don't give my employer permission to delete this, it's a criminal act against the Computer Misuse Act."

Trend Micro's approach is to encourage a model where the user has complete autonomy on the device, but accesses enterprise apps and data through a secured remote access environment, similar to solutions from Citrix and others. Trend Micro's Safe Mobile Workplace product delivers a virtual Android desktop, complete with enterprise app store, accessible through handsets, including Apple and Microsoft devices.

"You own the hardware and anything that you do directly on the environment that is native to the hardware is yours and I don't care about it or manage it," Ferguson explains. "But if your device is reported stolen, your corporate stuff is running in a virtual environment on that device and I simply withdraw the virtual environment from that device. You can have an iPhone, but when you go into Safe Mobile Workforce it's an Android desktop you get there."

Efforts to secure against mobile malware are struggling, Ferguson says, because there are so many routes to attack a user. Social media attacks are growing in popularity, partly because there are so few security solutions capable of balancing security and privacy. Trend Micro offers a parental control app for Facebook and other social networks, giving parents insight into the activities of their children, but such a solution would be unacceptable to corporate users, Ferguson acknowledges. "There have been specialised niche products, gateway products, which interact with apps within Web sites. So the capability exists, but there are a lot of privacy concerns, particularly in Europe where the privacy legislation has become so strongly user-oriented. As it should be! But there are a lot of legislative obstacles."

Proper police work

Another major development within malware is the adoption of encrypted communications such as the Tor network, which makes tracking down criminal activity much harder. Trend Micro, like many security firms, runs a global tracking operation to identify infected machines, command and control servers, and so on. The firm, along with its peers, is working with Europol to provide insight to European law enforcement agencies seeking to track down the criminals behind attacks. While there have been some notable successes, such as the arrests of Spanish and Russian hackers responsible for ransomware attacks, and the arrest of Ross Ulbricht, the operator of the Tor-based "Silk Road" drug marketplace, most of these arrests have hinged on mistakes by the criminals, not through dragnet Internet surveillance.

"Botnets increasingly turning to Tor," he says. "A lot of the child exploitation stuff is moving to hidden services. That's where law enforcement really have to rely on old fashioned legwork. There's very little you can do from a technological perspective in terms of identifying the operator of a Tor hidden service or identifying the clients. You can put a tracking beacon on a Web page, but that means you have to have already identified and compromised that server in order to identify who's going there. So there are some things you can do, but they all rely on intelligence, mistakes made by criminals and old fashioned detective legwork."

Although agencies like to argue to that surveillance is necessary to identify criminals, the argument is flawed, Ferguson says. "The people you're going after know how to hide themselves. If someone's using a VPN service and then going through Tor, you're not going to find them by hovering up everything else. You need to be a lot more surgical, a lot more precise. And to be honest, the law enforcement activity that has led to arrests has from the outset relied on mistakes made by the criminals, which led to identification of specific infrastructure, which allowed warrants to be issued, which revealed further clues, which led to arrests. That's proper police work."

Clean pipes

Although malware is moving to encrypted networks, there is still plenty of identifiable malicious players on the Internet, and Ferguson is surprised there is so little pressure to tackle them. "Why isn't there a consumer lobby for clean pipes?" he asks. "if you turned on your tap and brown water came out every time, you'd be going to the water board saying 'the water isn't fit to drink, do something about it'. There's no consumer pressure for clean pipes from an ISP either, so the ISPs have no interest in making an investment to make it happen.

"I wrote a blog post suggesting it was time to start quarantining devices. It's happened a couple of times - Comcast in the US started to notify infected customers. And there was a German ISP that did the same thing. But no one has gone as far as quarantining those users yet." He'd like ISPs to be firmer with their users, he says. "You are perpetuating the problem, infecting other users, and consuming the only resource I as an ISP have to sell: bandwidth."

Share