Anton Chuvakin on What is NOT Working in Security 2004

What is NOT Working in Security 2004 Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist October 6, 2004

Outline
Threat Landscape Overview
Current
Emerging
Underappreciated
Non-threats
Current countermeasures
Working
NOT working
Underappreciated
Emerging countermeasures
Promising
Questionable

Current Threats
What is still out there ? Old classics 
Malware
Worms
Viruses
Trojans
Backdoors
Rootkits
Hybrid/Blended malware
Spam
Malicious humans 
Script kiddies
Blackhats

Emerging Threats
Coming strong 
More malware
Spyware (all kinds )
Phishing
A wave of it!
Network client attacks
Web browsers and others
Mobile (cell, PDA) attacks
Just wait a bit more
Wireless attacks
IM attacks
Source code attacks

Less hyped threats
Its there, but few care 
Internal attacks and IP theft
Web application security
SCADA security
Content/lexical attacks
Zero day and custom attacks

Non-threats
Some think they are, but they aren’t
Linux viruses
Not going to happen (*). Period.
Crypto attacks
Crypto is never the weakest link
(*) except in the lab or (in rare cases) custom written

Remote Future Threats
I am most certainly wrong here…but let’s use the “Feynman method” – whatever goes now will continue
So, let's gaze into our extra-murky crystal ball
User-driven malware will continue – users will not improve
Script kiddies and blackhats will not vanish
Hacking for money will increase – why do it for free
Classic automated worms will decline (did I really say that?  )
Client attacks will increase as vendors harden servers
Wireless attacks will become more frequent and impactful

Countermeasures
Working mean…
Solve the problem AND
Widespread AND
Value for the money
Not working is…
Not solve the problem OR
Niche OR
Not get than you paid for
Not appreciated:
Can work if people use them more
Fit the two of the above, but not widespread

Gartner Take on It!
OMG, did I just utter the “G word”? 
What you definitely need:
HIPS, quarantine, vulnerability management, IdM, audit logs, AES, SSL, anti-spam/AV, BCP
What you probably don’t need:
Quantum encryption, NIDS, biometrics, DRM, security awareness posters, 500 page policies, TEMPEST shielding, personal digital signatures, default passwords
Source: Gartner, “Management Update: The Future of Enterprise Security”, Sep 15, 2004

What works!
Soft:
End-to-end security process and defense in-depth
Incident response process
Hard:
Firewalls
VPN
Vulnerability scanning
NIDS - with correlation and context data
NIPS - for a narrow range of known attacks

As we prepare…
What does the typical company deploy today ?
Anti-virus
Firewall
Router ACLs
Password management
NIDS
Anti-spam
Are they happy with it?
What else do they need?

What is NOT working?
Anti-virus
“ What  ? It’s the best we have” Well, not good enough.
Patching
People just don’t do it (tools work, processes don’t)
NIDS – yes, it is in both categories!
With no correlation and context data – it fails
Anti-spam
Well, it kills 99% of it and the remaining 1% kills you 
Code reviews
Application security is not getting better
Security awareness
Users are hopelessly broken…and will remain so

Not appreciated
Log analysis and log management
Effective, but needs to be used more
Hardening
Even less popular than patching, works.
HIPS
It works. Do YOU run it? Probably not.
Honeypots
Honeyfarm or “honeytokens” deployment
Security standards
Standard is simple! Simple is secure!

Future Countermeasures
Promising
Better firewalls
Better correlation for IDS and logs
Better client security
NAC/NAP quarantine
Worm defenses
Questionable
Pureplay anomaly detection

Conclusion
Security will remain fun!  It will be funded too as threats will persist
Prevention will never supplant detection , detection will never supplant response – thus all technologies will remain
Underappreciated today will move into mainstream tomorrow!

Thanks for Viewing the Presentation
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org
Book on logs is coming soon!
See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs

Anton Chuvakin on What is NOT Working in Security 2004

by Anton Chuvakin on Dec 18, 2006

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 2

Statistics

Anton Chuvakin on What is NOT Working in Security 2004 — Presentation Transcript