Sunday, May 10, 2020

Repost - Once upon an information security

Once there were mainframes that were standalone systems, fed by punch cards and teletypewriters. They had tight roles, based on access control models, often externalised to the operating system and application.
Everyone wanted access to them so the teletypewriters were extended with serial connections and then modems to allow remote access.
Eventually minicomputers were connected to public networks the precursors to the internet and network services were written and exposed like send mail.
One of the first network worms, ironically released by the son of a computer security researcher knocked a good portion of the internet offline.
Now the first bolt on security product was released - the firewall.
Essentially it was a clever kludge, to the problem of too many publicly accessible computers with default installs that had insecure network services to manage.
Now personal computers blossomed also with the rise of personal productivity software and a thriving shareware culture.
Some clever idiots started mixing in malicious software with legitimate software and we had the rise of computer viruses - malicious software that required user interaction to replicate.
The second bolt on security product was born - antivirus.
Antivirus checked files you opened against a database of known malicious software. This again was just a kludge for the problems of poor user awareness, users running with administrative privileges due to undercooked operating systems and a lack of a mechanism for easily identifying if software was trustworthy before executing it.
Attackers started digging into the network services for vulnerabilities as default passwords and debug functions started getting turned off, and found a soft underbelly in web server software. Web site defacements rose and another product arose - Intrusion Detection - essentially a networked version of antivirus looking at packets rather than files.
This helped operations teams get a bit ahead of the game and respond to compromises of internet facing services in a, timely manner.
Big outages, due to network worms on internal networks affecting the dominant server and desktop operating system, drove Microsoft's boss Bill Gates to issue the Trustworthy Computing memo, essentially telling the company that security needed to be a top priority for the success of the company.
Microsoft started turning the supertanker in the right direction, by introducing security into their SDLC, assisting law enforcement, pushing security fixes via a security bulletin process.
The company also delivered operating systems in which there wasn’t excessive network services running as part of default installs. The user ran under reduced privileges, had cryptographic signing of operating system components and started to address the root causes of poor operating system security.
But now the threat environment had changed, the threat was no longer computer enthusiasts "hackers" being a bit too curious or "crackers" being too destructive, it was starting to become organised criminals.
Criminals figured out that serious money was starting to move through computer systems, and that malware called remote access Trojans, could help them steal credit card numbers and internet banking credentials facilitating fraud.
Now finally spies got on the Internet too, as the majority of the world's information got stored in computer systems.
So here we are at a pretty interesting time in information security. The latest operating systems have got more easy to manage security wise and more security is "built in", but most organisations aren't running them yet.
The threat landscape has changed, with the attackers motivated by financial gain.
Vulnerabilities are no longer being publicly disclosed, but instead sold to the highest bidder.
Often it's the application software like Java and Flash which is now being targeted on the desktop.
Information security professionals now have to worry about nation state backed threat actors as well as organised crime backed cyber criminals.
The bolt on security controls have become less effective, as the threat actors have learned to hide from them, or tunnel through them.
Now we have to chase emerging technologies to stay ahead of the threat actors, as traditional security vendors haven't innovated quickly enough.
Additionally information technology is again re-inventing itself with "cloud" and "mobility" "BYOD" "flexible working" "off shoring" and a handful of other disruptive ideas.
Just as the better operating systems are arriving we are swapping out windows desktops connected too wired networks, with laptops connected to wireless networks.
Executives demand email and apps on their iPads and iPhones, introducing new operating systems and new ways of managing them.
Businesses want "instant on" software as a service applications rather than taking the risk to develop or deploy in house solutions.
It's a rapidly changing battlefield in terms of threat landscape and the availability and effectiveness of security controls.
Information security is having to step up a level and think differently about enabling users and also third parties to secure themselves and securing the data we share with them.
As we lose the ability to enforce security controls ourselves at the operating system layer. 
Infosec - never a dull moment if you're doing it right.

1 comment:

  1. Wow, excellent post. I'd like to draft like this too - taking time and extremely hard work to make a great article. Visit Event Security Guards Service. This post has inspired me to write some posts that I am going to write soon.