Michael Healey: Pay Attention (Piling On)
Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security. Richard upbraids Michael for writing the following:
Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky…
Are we really less secure than we were 10 years ago? Probably not…
…security folks are so jumpy. But they’re missing the message that CIOs need to hear: Security is working. It’s been more than a decade (yes, 10 years) since any particular security flaw has had a truly widespread impact. The Melissa and the ILoveYou attacks were the last.
Now Richard dresses down Mike regarding his naivete’ about the threat landscape. Using Melissa and ILoveYou as examples of aggregate risk to Internet participation is of course, silly. But the lesson doesn’t stop there. Michael,even if your organization hasn’t had a recent, significant breach – there’s very little evidence to suggest that this is because “it’s working”. It could very well be “good luck” based on a lack of frequency (in threat actions). Think of it this way, while I’m sure there are parts of Oklahoma that haven’t been hit by a Tornado in recorded history, that doesn’t mean that I’d move into a mobile home there.
Let me also pile on by mentioning that the Verizon DBIR data set shows a significant uptick in the use of custom malware by threat agents (you know, the kind designed to evade signature based defenses) in data breaches.
Speaking of which, let me share with you a few thoughts on impact and loss. In the past four years, we can account for nearly a billion records (credit cards and other PII) known to be compromised. And that’s *just* the Verizon/Secret Service data. You could probably increase that number by 12 figures by including data at risk and lost from the DLDB. Being a journalist, I’m sure you’ll recall that here in the US have had significant IP and military secret losses, as well.
Finally Mike, there’s the problem of trying to keep up with the threat landscape. Take Gunnar’s excellent table around web security as an example:
Do we really need to say anymore?
Yes. Let’s stop focusing on custom malware. How many enterprises (let’s say >10K machines) are malware free?
@adam
That’s easy. 0.
One thing I “like” about Healey’s article is this is not nearly the first time I’ve heard someone claim such statements by citing things like Melissa, ILoveYou, Slammer, Slapper, or Code Red being “old” and no longer happening. It’s not the correct conclusion at all, but gives us all a bit more “practice” in breaking down such assertions which often come from peripherally-technical persons.
I’m quite positive if malware writers were still as interested in destruction as they are in making money, we’d still have plenty of similar-feeling issues as those “old” ones. Malware today is far more parasitic than they are viruslike…
Then again, we *have* gotten better in some regards. I imagine there are far less SQL servers with their balls exposed out on the Internet through the firewalls today than before Slammer. But we’re getting dangerously specific in examples like that. People open emails that say “ILoveYou” far less often, but what about “Here you have?” D’oh!
Thank you Richard for the article. I am an IT Director of 25 years, and was given Michael Healey’s article by my CEO today ; with a drawn circle on the cover article. I too picked up on Richard’s disregard for security and lack of respect for an IT Director’s continual challenge of implementing latest technologies while maintaining and meeting company culture,costs and security. The practicality, cost and security of implementing a technology often outways the advantages of a newly introduced technology. Even the government, with unlimited tax payers funds, was trying to persuade Obama to give up the Blackberry.
Mr. Healey sells technologies to companies for a living, you sell security – your article was less biased and your credentials easily out weight Richard’s. It is articles like Richard’s that makes an IT Director’s job that much harder to gain CEO support in business decisions. It should have never been the cover story – it was poorly written.
Thank you again for you rebuttal.
I hope we get better articles from InformationWeek (maybe even one written by an IT Director)