Why your security sucks

Security breaches are getting more mainstream media play than ever before, mainly thanks to organizations like Anonymous and Lulz Security hitting high-profile targets. The cost of the destruction, particularly to Sony, has been high. But ironically, attackers who do it for the glory rather than money may be providing a kind of public service.

“Security is always this bad,” says Roger Grimes, InfoWorld’s stalwart security expert and author of our Security Adviser blog. But when criminals compromise financial institutions and other corporate targets, as they do all the time, the victims like to keep it as quiet as possible. At least the new wave of very public assaults shines a bright light on the awful state of security.

[ Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Roger knows firsthand how terrible it is. As a security consultant, he would tell clients he could break into their network within 24 hours, but it almost always took him less than an hour. Nor has he ever failed to obtain a CEO’s password in a just few minutes with a little social engineering. “Hacking hasn’t changed in 20 years,” he says. “I guess that’s the sad thing. In the past 20 years, hacking is no harder and defending is no better.”

End-user security holes The maddening thing is that simple measures, well known for years, would prevent most attacks. According to Roger, 90 percent of exploits involve users downloading and installing items they shouldn’t. Often, these exploits begin with scareware messages that tell users their system has been compromised and that they should install an antivirus program to remove the infection, which of course turns out to be malware itself.

It’s hard to train users to ignore fake alerts, Roger says, especially when they don’t know what a real virus alert looks like:

I’ve asked every company: Do you give a picture to your employees of what your antivirus program looks like when it finds a virus? Never. They never do. Ever. If this is the No. 1 problem in most environments today — and it is — why are we as defenders not even doing the simple stuff? Is it too hard take a picture and tell an end-user, “this is what your product looks like?” It’s not. I’m not sure if it’s lethargy or what. Every company I’ve ever said that to … none of them have ever taken the picture. They’re like “Oh, you’re right, good idea,” and then they don’t do anything.

The lack of even elementary training is one problem. Another is that people don’t get penalized for failure. Roger says, “In my entire career, and I’ve been doing this since 1987, [I only know] of one department that had some firings because of a horrific hacking event — that was from SQL Slammer.” In the vast majority of cases, neither end-users nor IT professionals face penalties for their role in a security disaster.

Putting off patching Perhaps even more frustrating is IT’s failure to keep software patches up to date. This lapse, Roger notes, was practically an open invitation for the Sony hack: “You had Web servers that were knowingly unpatched for months. A Web server, the most attacked thing on the planet, knowingly unpatched. That borders on negligence.”

Maybe so, but it’s also common. “I’ve never been to a company that didn’t have multiple critical servers unpatched, even though they always say, ‘Oh yeah, we’ve got them patched and taken care of, don’t you worry about it,'” Roger says. They also fail to keep patches up to date for routers, security appliances, third-party browser plug-ins, and on and on.

A big problem is the level of effort to patch everything. The responsible thing to do is to test before you patch, which takes time. Meanwhile, according to Roger, here is what happens:

If I’m a bad guy trying to break in, all I have to do is find out what you run — Apache, Windows, and so on — and then I wait until I hear about the patch coming out. Usually the exploits are there within a couple of hours or less than that, and then I break in. The best a company can do is [take] days, if not weeks, to test, approve, and deploy patches. So if I’m a guy who’s going to break into a company I can just take my time and learn your environment, learn who your partners are, learn who you have services with, find out what you’re running, and then … bada-bing, bada-boom. I mean, give me a month. What doesn’t have a patch in a given month?

Some of the problem is lack of time or in some cases sheer laziness in the face of lax accountability. But even in the best case, patching can make the most dogged admin feel like Sisyphus.

Here’s where the discussion gets even more difficult. While changing user behavior and keeping patches as up to date as possible would prevent a huge percentage of exploits, traditional remedies, such as antivirus software and firewalls, simply “don’t work,” says Roger. If they did, they would have worked already. Nothing can keep up with the proliferation of malware, which amounts to an estimated 63,000 new malicious programs per day, according to a recent report by Panda Security.

So what can be done?

Facing the security future If you’re a regular reader of Roger’s blog, you know that he advocates default persistent identity as the only ultimate solution to the security mess. That’s a controversial position because some think it spells the end of anonymity on the Internet. But Roger sees it as the only way criminal hackers will be forced to pay a penalty. Until then, “it’s almost guaranteed they get away with it.”

But a persistent identity scheme would require the kind of global consensus and commitment that seems unimaginable right now. Despite the dramatic events of the past few weeks, Roger believes the current sorry state of security will persist for the next 5 to 10 years. He says, “If one-third of adults in the country had their identity stolen last year — and they did, for the fourth or fifth year in a row — exactly what would it take for people to care more?”

This article, “Why your security sucks,” originally appeared at InfoWorld.com. Read more of Eric Knorr’s Modernizing IT blog, and for the latest business technology news, follow InfoWorld on Twitter.