Brother, Where art thou?

Today’s security solution is to make your problem someone else’s problem. Maybe that is the right answer, and I just don’t like it.

I was left this morning with a depression about the security industry after reading a Threat Post Article on active defense.

I want a security community that its first concern is that of security, everyone’s security.  I understand that idealism does not create a paycheck, my current idealism is proving that point. But security solutions should be about security, a solution to the problem, not the passing on of that problem to someone else.

The problem about Active Defense is that the objective is not to prevent attacks, but to frustrate the attacker in order for them to attack somewhere else.

Twenty years ago it was common to say, “It is not a question of having perfect security, it is to have just enough security to make the attacker go elsewhere.” This was the same time period that companies spent more money on coffee than computer security.

Today, this same message is the backbone for active defense, it is just hidden under verbose reasoning.

Basic blocking and tackling with network defenses,meanwhile, can help fend off attackers without the need for infinite recursive directories, said Michael J. Keith, a security associate andpen-tester with Stach & Liu.“Our pen-tests last multiple weeks, more time than the attacker has,”Keith said. “Unless you know the reward is worth it, you’re not going to spend that much time on an attack. Most of the headline-type of attacks over the years are rarely because an attacker has been truly persistent or crafty. It’s usually something incompetent that was left open.“If I was a professional hacker after credit card numbers, there’s no way I would devote as much time as I do to exploit holes in customer networks,” Keith said. “A real attacker wouldn’t do that.”

The belief here is that a real attacker need to make money, and time is money. If he can’t make it here, then he’ll make that money somewhere else.  The “Where”  is where one that can do it with less effort.  This logic is not unfounded.  Exploit kits, which are the primary tool today for Internet attacks that steal credit cards and the like from personal systems, are made up of mostly old exploits. Read Charlie Osborne’s post. This exists, not out of bad quality control of crimeware, but because it is good enough: Effort versus Cost.

What bothers me about the pass-the-buck approach is that it does not solve the problem, but passes that problem to someone else.

Steve Chabinsky, CrowdStrike senior VP of legal affairs stated in the article,

“… we are left with a digital society in which screams of ‘stop that man, he stole my wallet,’ are met mostly with inaction other than finger pointing at the victim to better hold on next time. That has to change.”

This I total agree with. This has to change.

In general, we are driven by materialistic values, and those who have the power are asking, “What is in it for me?”  Steve Chabinsky’s statement does not exonerate himself from inaction.  On the contrary, the statement presented in the context of this article is one that says, “This is our business opportunity”. Instead of helping where there is no police, we want to be the paid body guards, ignoring those that cannot pay for better protection.  

The issue is that if a company was able to point a finger at the attacker, could the Government(s) do anything about it?  It seems that the answer to this question is no.

And so, what are we left with? Do we just provide security to those that pay us, and herd the wolves to those who budgeted coffee over security?

I agree with CrowdStrike, I just don’t like the answer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: