“Retreat, hell! We’re just attacking in a different direction”

The CEO of my company (MicroSolved, Inc.) recently returned from a trip to Aruba, in which he was forced to endure the ban on liquids and gels on airlines. While patiently complying with the wishes of the TSA inspectors, he began to wonder if the additional inconvenience was worth the minimal decrease in security risk that the average airline customer would experience. Upon his return, he did a little research about the current rates of injury or death when performing everyday tasks, such as flying, driving, swimming in your backyard pool, and walking in the rain.

While the research revealed some very interesting facts regarding the risk involved with performing these everyday tasks, it prompted me to ask a different question. Our CEO was interested in knowing if the inconvenience was worth the reduction in risk. I asked whether the inconvenience was worth it at all. Did it even work?

I immediately began to think about how we got to the point we currently find ourselves, in regards to Anti-Terrorism and Information Security. Can we find a way to tie Anti-Terrorism measures and Information Security measures together to get an idea of whether the Anti-Terrorism measures can ever be effective?

When thinking of Information Security, the first thing that comes to mind is one despicable word: Signatures. Nearly every school of thought that has been bought into by security professionals involves the use of signatures to detect an attack. Your Anti-Virus relies on signatures to identify malware. Your Intrusion Detection/Protection devices rely on signatures to identify attacks. Your spware/adware detection devices rely on…you guessed it…signatures.

Signatures have proven to be quite effective…AFTER THE INITIAL ATTACK. The problem is that someone or something would have to have already seen the attack, in order to create an accurate signature. This holds true with today’s current Anti-Terrorism strategy. Think about just about every strategy that has been put into place to identify (or protect you from) a terrorist attack. We don’t implement bans on “liquids” until AFTER someone has already seen that particular method. We don’t restrict the use of metal silverware on a plane until AFTER someone has used a butter knife to hijack a plane.

There is a portion of the Information Security community (me included) who believe that we have already lost the war against malicious attackers. Of that portion of the community, several of us firmly believe that we are at a crossroads in what Information Security is now and will be in the future. A couple of us believe that it is now time to recognize that the good guys have lost the war and it is now time to pull back and focus our efforts on securing the critical data and leaving the users to their own devices.

There is a term floating around out there that speaks directly to this school of thought: Enclave Computing. Whereby, we would attempt to begin to identify the critical information that needs to be protected. Once we have identified the critical information, we move it to a secluded part of the network , or “enclave”, and wrap controls around it that dictate who and what has access to the information. We give the user base everything that we can give them for protection, but we don’t care about what happens to their boxes. We don’t care if they get compromised, because no critical information is stored on the machine. If one of their machines gets compromised, it becomes a turn-and-burn situation. That machine gets imaged and is back in operation in less than an hour. The information, being secluded from the compromised host, remains secure.

Now, I’m not condoning the thought that the government needs to consider leaving the citizenry to their own devices. I, a former US Marine, am absolutely certain that the War on Terrorism is something we can and will win, not to mention that we HAVE to win it. What I am afraid of is that we don’t know HOW to win. If we keep following the path of relying on signatures to protect our citizens and their information, as the War of Information Security has shown, we will lose.

As a country and an industry, we need to get back to our roots. We need to rely on that ingenuity that Americans so proudly brag about. We need to find pre-emptive solutions to defending our country and her information. I don’t know what the answer is to waging the War on Terrorism. I do know that MSI is using that “American Ingenuity” right now to create solutions to help us defend our information. What forward thinking organization will be the one to break new ground in providing a realistic method of waging the War on Terrorism?

One final, albeit scary, thought that remains just as true for National Security as it does for Information Security is something that the President has been quoted when saying that our enemies “only have to be right once; we have to be right 100 percent of the time”

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply