[15674] in cryptography@c2.net mail archive
Re: Question on the state of the security industry (second half not necessarily on topic)
daemon@ATHENA.MIT.EDU (Joseph Ashwood)
Thu Jul  1 17:02:10 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Joseph Ashwood" <ashwood@msn.com>
To: <cryptography@metzdowd.com>
Date: Wed, 30 Jun 2004 13:10:07 -0700
----- Original Message ----- 
From: "Ian Grigg" <iang@systemics.com>
Subject: Question on the state of the security industry
> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?
I am continually asked about spam, and I personally treat phishing as a
subset of it, but I have seen virtually no interest in correcting the
problem. I have personally been told I don't even know how many times that
phishing "is not an issue."
I personally know it's an issue because between my accounts I receive ~3-5
phishing attempts/day, and the scams apparently account for a major portion
of the GNP of many small countries.
> Or, are security professionals as a body being
> totally ignored in the first major financial
> attack that belongs totally to the Internet?
>
> What I'm thinking of here is Scott's warning of
> last year:
>
>    Subject: Re: Maybe It's Snake Oil All the Way Down
>    At 08:32 PM 5/31/03 -0400, Scott wrote:
>    ...
>    >When I drill down on the many pontifications made by computer
>    >security and cryptography experts all I find is given wisdom.  Maybe
>    >the reason that folks roll their own is because as far as they can see
>    >that's what everyone does.  Roll your own then whip out your dick and
>    >start swinging around just like the experts.
>
> I think we have that situation.  For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.
>
> Comments?
In large part that's the way it looks to me as well. We have an effectively
impotent security community, because all the "solutions" we've ever made
either didn't work, or worked too well. We basically have two types of
security solutions the ones that are referred to as "That doesn't work, we
had it and it did everything it shouldn't have" and those that result in "I
don't think it works, but I can't be sure because we were never attacked."
The SSL/TLS protocol is an example of this second type, I am unaware of any
blackhats that bother attacking SSL/TLS because they simply assume it is
impenetrable. At the same time we have the situation where Windows is
continually not because it is less secure than the others, but because it is
_believed_ to be less secure than the others, so the Windows security is
clearly of the first type. The biggest problem I've seen is that we're
dealing with generally undereducated peoople as far as security goes. We
need to start selling that we facilitate a business process, and that
because of this all you will see are the failures, the successes are almost
always be invisible.
Also as with all business processes, there is never a final state, it must
be often reanalyzed and revised. This puts us in a rather strange situation,
where somethign that I have always offered becomes important, we become an
outsourced analyst, almost an auditor situation. To build this properly the
security model that is constructed needs to be built to include emergency
threshholds and revision timeframes. By supporting the security process as a
business process it allows the concepts to more easily permeate the CXO
offices, which means that you are far more likely to make more money, build
a long term client, and create a strong security location.
To make the point clearer, I have ended up with clients that were previously
with better known cryptanalysts, including some worldwide names. These
clients have been told by their previous consultants that there security is
good, but their consultant never told themthat it needs reanalysis, they
never encouraged the creation of a business process around it, it was always
"Ask me when you have questions." I did not poach these clients, they left
their previous consultants, and found me through referrals. These
relationships are extremely profitable for me, for many reasons; I actually
cost less than their prior consultants, but I make more, because everything
is done quickly, efficiently, and effectively.
This security process builds stronger security, and while I admit I am still
rarely asked about phishing, and even rarer is my advice listened to, my
clients are rarely successfully hacked, and have lower than average losses.
Our biggest problem is that we view the security process as distinct from
business processes. I truly wish I could make the Sarbanes-Oxley 2002
(http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act
required reading for every security consultant, because it demonstrates very
much that proper security consulting is actually a business process.
Getting back to the topic, by doing this we can help them move from the
"dick swinging" phase to a best practices security infrastructure used
accurately and appropriately. We also need to start putting our money where
our mouth is, I've seen too many "security consultants" whose primary job
was to sell the add-on services available from their employer, instead we
need to follow Sarbanes-Oxley in spirit and seperate our security auditing
from other services, even  to the point where I am not invested in any
company who's products I recommend (obviously I'm not shooting myself in the
foot and investing in their competitors either). Unfortunately, a large
number of cryptanalysts will have a lot of penance to take before they can
do this because their "dick swinging" has been highly visible.
                Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com