Most Computer Security is Useless (and pseduo-eschatology: bank robbers find a use for the spying)

Security research company NSS Labs ran some tests and figured out that only 3 percent of security product combinations out there were capable of blocking all the exploits they tried.

Which is to say that given an even reasonably well informed attacker, 97% of computer security solutions are useless. “The firewalls, they do nothing!”

The problem? All the vendors thinking along the same lines, using the same research tools, because they’re The Right Way to Go. One error means everything falls down… and people resist going outside the mainstream because it’s harder to manage.

Pseudo-Eschatology: I wonder if Snowden has officially passed Ellsberg in the whistleblowing record books yet? He’s certainly made a hell of an impact. It still remains to be seen whether he knows enough to set off the “keep that mind off the non-government market at all costs” mentality.

Anyway, a bank robbery suspect is requesting his phone records from the NSA in order to prove he wasn’t at the scene of the crime. (The phone company has since deleted the logs, but presumably the NSA hasn’t.),0,5434900.story

“There is only limited breach prevention available: NSS looked at 606 unique combinations of security product pairs (IPS + NGFW, IPS + IPS, etc.) and only 19 combinations (3 percent) were able to successfully detect ALL exploits used in testing. This correlation of detection failures shows that attackers can easily bypass several layers of security using only a small set of exploits. Most organizations should assume they are already breached and pair preventative technologies with both breach detection and security information and event management (SIEM) solutions.

No kidding. It not novel to say that exploits work in today’s environment. Instead of just guessing at optimal combination of devices (which seems to be a value proposition NSS is pushing in the market now), what about getting a feel for the incremental effectiveness of just using a firewall. And then layering in an IPS, and finally looking at endpoint protection. Does IPS really make an incremental difference? That would be useful information – we already know it is very hard to block all exploits.

NSS’s analysis of why layering isn’t as effective as you might think is interesting: groupthink. Many of these products are driven by the same research engines and intelligence sources. So if a source misses all its clients miss. Clearly a recipe for failure, so diversity is still important. Rats! Dan Geer and his monoculture stuff continue to bite us in the backside.

But of course diversity adds management complexity. Usually significant complexity, so you need to balance different vendors at different control layers against the administrative overhead of effectively managing everything.

And a significant percentage of attacks are successful not due to innovative exploits (of the sorts NSS tests), but because of operational failures implementing the technology, keeping platforms and products patched, and enforcing secure configurations.”

%d bloggers like this: