Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Anton Chuvakin on What is NOT Working in Security 2004


Published on

Anton Chuvakin on What is NOT Working in Security 2004: Focus on ‘what works’ is good, but sometimes negative motivation works as well! Let’s take a (fairly subjective) look at what doesn’t work for a change. Things change, technologies (and even processes) improve, that is why the title has a date. Also, please take into account that the information provided is subjective by nature and represents my outlook on things, mostly collected from working in (and watching!) the security industry.

Published in: Technology
  • Be the first to comment

Anton Chuvakin on What is NOT Working in Security 2004

  1. 1. What is NOT Working in Security 2004 Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist October 6, 2004
  2. 2. Outline <ul><li>Threat Landscape Overview </li></ul><ul><ul><li>Current </li></ul></ul><ul><ul><li>Emerging </li></ul></ul><ul><ul><li>Underappreciated </li></ul></ul><ul><ul><li>Non-threats </li></ul></ul><ul><li>Current countermeasures </li></ul><ul><ul><li>Working </li></ul></ul><ul><ul><li>NOT working </li></ul></ul><ul><ul><li>Underappreciated </li></ul></ul><ul><li>Emerging countermeasures </li></ul><ul><ul><li>Promising </li></ul></ul><ul><ul><li>Questionable </li></ul></ul>
  3. 3. Current Threats <ul><li>What is still out there ? Old classics  </li></ul><ul><li>Malware </li></ul><ul><ul><li>Worms </li></ul></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Trojans </li></ul></ul><ul><ul><li>Backdoors </li></ul></ul><ul><ul><li>Rootkits </li></ul></ul><ul><ul><li>Hybrid/Blended malware </li></ul></ul><ul><li>Spam </li></ul><ul><li>Malicious humans  </li></ul><ul><ul><li>Script kiddies </li></ul></ul><ul><ul><li>Blackhats </li></ul></ul>
  4. 4. Emerging Threats <ul><li>Coming strong  </li></ul><ul><li>More malware </li></ul><ul><ul><li>Spyware (all kinds ) </li></ul></ul><ul><li>Phishing </li></ul><ul><ul><li>A wave of it! </li></ul></ul><ul><li>Network client attacks </li></ul><ul><ul><li>Web browsers and others </li></ul></ul><ul><li>Mobile (cell, PDA) attacks </li></ul><ul><ul><li>Just wait a bit more </li></ul></ul><ul><li>Wireless attacks </li></ul><ul><li>IM attacks </li></ul><ul><li>Source code attacks </li></ul>
  5. 5. Less hyped threats <ul><li>Its there, but few care  </li></ul><ul><li>Internal attacks and IP theft </li></ul><ul><li>Web application security </li></ul><ul><li>SCADA security </li></ul><ul><li>Content/lexical attacks </li></ul><ul><li>Zero day and custom attacks </li></ul>
  6. 6. Non-threats <ul><li>Some think they are, but they aren’t </li></ul><ul><li>Linux viruses </li></ul><ul><ul><li>Not going to happen (*). Period. </li></ul></ul><ul><li>Crypto attacks </li></ul><ul><ul><li>Crypto is never the weakest link </li></ul></ul><ul><li>(*) except in the lab or (in rare cases) custom written </li></ul>
  7. 7. Remote Future Threats <ul><li>I am most certainly wrong here…but let’s use the “Feynman method” – whatever goes now will continue </li></ul><ul><li>So, let's gaze into our extra-murky crystal ball </li></ul><ul><ul><li>User-driven malware will continue – users will not improve </li></ul></ul><ul><ul><li>Script kiddies and blackhats will not vanish </li></ul></ul><ul><ul><li>Hacking for money will increase – why do it for free </li></ul></ul><ul><ul><li>Classic automated worms will decline (did I really say that?  ) </li></ul></ul><ul><ul><li>Client attacks will increase as vendors harden servers </li></ul></ul><ul><ul><li>Wireless attacks will become more frequent and impactful </li></ul></ul>
  8. 8. Countermeasures <ul><li>Working mean… </li></ul><ul><ul><li>Solve the problem AND </li></ul></ul><ul><ul><li>Widespread AND </li></ul></ul><ul><ul><li>Value for the money </li></ul></ul><ul><li>Not working is… </li></ul><ul><ul><li>Not solve the problem OR </li></ul></ul><ul><ul><li>Niche OR </li></ul></ul><ul><ul><li>Not get than you paid for </li></ul></ul><ul><li>Not appreciated: </li></ul><ul><ul><li>Can work if people use them more </li></ul></ul><ul><ul><li>Fit the two of the above, but not widespread </li></ul></ul>
  9. 9. Gartner Take on It! <ul><li>OMG, did I just utter the “G word”?  </li></ul><ul><li>What you definitely need: </li></ul><ul><ul><li>HIPS, quarantine, vulnerability management, IdM, audit logs, AES, SSL, anti-spam/AV, BCP </li></ul></ul><ul><li>What you probably don’t need: </li></ul><ul><ul><li>Quantum encryption, NIDS, biometrics, DRM, security awareness posters, 500 page policies, TEMPEST shielding, personal digital signatures, default passwords </li></ul></ul><ul><li>Source: Gartner, “Management Update: The Future of Enterprise Security”, Sep 15, 2004 </li></ul>
  10. 10. What works! <ul><li>Soft: </li></ul><ul><li>End-to-end security process and defense in-depth </li></ul><ul><li>Incident response process </li></ul><ul><li>Hard: </li></ul><ul><li>Firewalls </li></ul><ul><li>VPN </li></ul><ul><li>Vulnerability scanning </li></ul><ul><li>NIDS - with correlation and context data </li></ul><ul><li>NIPS - for a narrow range of known attacks </li></ul>
  11. 11. As we prepare… <ul><li>What does the typical company deploy today ? </li></ul><ul><ul><li>Anti-virus </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Router ACLs </li></ul></ul><ul><ul><li>Password management </li></ul></ul><ul><ul><li>NIDS </li></ul></ul><ul><ul><li>Anti-spam </li></ul></ul><ul><li>Are they happy with it? </li></ul><ul><li>What else do they need? </li></ul>
  12. 12. What is NOT working? <ul><li>Anti-virus </li></ul><ul><ul><li>“ What  ? It’s the best we have” Well, not good enough. </li></ul></ul><ul><li>Patching </li></ul><ul><ul><li>People just don’t do it (tools work, processes don’t) </li></ul></ul><ul><li>NIDS – yes, it is in both categories! </li></ul><ul><ul><li>With no correlation and context data – it fails </li></ul></ul><ul><li>Anti-spam </li></ul><ul><ul><li>Well, it kills 99% of it and the remaining 1% kills you  </li></ul></ul><ul><li>Code reviews </li></ul><ul><ul><li>Application security is not getting better </li></ul></ul><ul><li>Security awareness </li></ul><ul><ul><li>Users are hopelessly broken…and will remain so </li></ul></ul>
  13. 13. Not appreciated <ul><li>Log analysis and log management </li></ul><ul><ul><li>Effective, but needs to be used more </li></ul></ul><ul><li>Hardening </li></ul><ul><ul><li>Even less popular than patching, works. </li></ul></ul><ul><li>HIPS </li></ul><ul><ul><li>It works. Do YOU run it? Probably not. </li></ul></ul><ul><li>Honeypots </li></ul><ul><ul><li>Honeyfarm or “honeytokens” deployment </li></ul></ul><ul><li>Security standards </li></ul><ul><ul><li>Standard is simple! Simple is secure! </li></ul></ul>
  14. 14. Future Countermeasures <ul><li>Promising </li></ul><ul><ul><li>Better firewalls </li></ul></ul><ul><ul><li>Better correlation for IDS and logs </li></ul></ul><ul><ul><li>Better client security </li></ul></ul><ul><ul><li>NAC/NAP quarantine </li></ul></ul><ul><ul><li>Worm defenses </li></ul></ul><ul><li>Questionable </li></ul><ul><ul><li>Pureplay anomaly detection </li></ul></ul>
  15. 15. Conclusion <ul><li>Security will remain fun!  It will be funded too as threats will persist </li></ul><ul><li>Prevention will never supplant detection , detection will never supplant response – thus all technologies will remain </li></ul><ul><li>Underappreciated today will move into mainstream tomorrow! </li></ul>
  16. 16. Thanks for Viewing the Presentation <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li> </li></ul><ul><li>Author of “Security Warrior” (O’Reilly) – </li></ul><ul><li>Book on logs is coming soon! </li></ul><ul><li>See for my papers, books, reviews and other security resources related to logs </li></ul>