For several years as I have learned more and more about how computers, networks, and policy are interrelated. I have felt security in these areas is actually getting weaker. I listen to people just blame security issues on Bill Gates and think they are immune because they can bash a vendor. This seems to be happening by over governing some aspects, under funding, and hiring of absolutely the wrong people. Today I saw a couple of blog posts that should let you know exactly how bad it is out there.
First, consider this from Taosecurity. If you don't believe that is our stolen technology staring you in the face, it is. APT is a really hip buzzword, but it's real and you better figure out what it is and where it is on your networks. I know a couple of govie orgs suffering from this right now but they are too arrogant to think it could happen to them so it will remain on their networks until.. well probably awhile.
Saving the best for last, I read about the carders.cc job. No, I didn't read the 900 cut-and-paste opinions on it, I read it from the d00dz who did it. Are you still confident about your security, wanting to trust your users, wanting to trust some 1337 guy you hired? Read this e-zine from the 0wned and Exp0sed crew. If that doesn't make you realize we all suck at security, I don't know what will.
I am not at all saying we, or anyone mentioned, is stupid. I am stating that the enforcement of the status quo must stop. We all need to learn more, do more, and weed out the lameness. Note in the zine that if you have used (installed) ettercap in the last five years, you might want to check your "shit." Do you know how many of us use that? ALL OF US!! That sucks!. These people went after several high-profile well-respected security pros, and their websites and 0wned them at will. If you think you're immune please share your awesomeness with the rest of us because this should make you realize how bad the state of security is. What this group did is wrong but things like this need to happen in order to get things moving in the right direction.
I read this post by Rafal Los (Wh1teRabbit) and wanted to agree completely. If you still believe you can have a firewall and an IDS and "trust" your users, you are inviting a problem. If you have a team that is convinced that nothing bad could ever happen to their infrastructure because they are 1337, you have a bigger problem. The blog post and comments focus on the fact that data is what needs protected, not just the location of the data. As mentioned in an earlier post, mobile computing and new threat and attack vectors are removing your borders for you.
Your people are your greatest asset and your biggest risk. Somebody in your organization clicks links, brings in infected USB drives, plays of Facebook all day, or actually wants to steal your data. I have been inside some supposedly very secure networks before where nothing but everyone's good intentions, and some veiled threats, stopped them from doing whatever they wanted. I don't just mean a penetration tester with network access, I mean anyone that knows how to open network neighborhood or send email. Talking with the management in these organizations resulted in some head nodding and furrowed brows but no change or desire to change. Every now and then a technical person would get frustrated and leave only to be replaced by a project manager or an "architect." At one place, a mid/senior-level analyst left and the management decided to replace him with someone that had no security experience. One of the quotes overheard from that management group was "We don't need anymore smarty pants around here, we need someone who can get along with everyone." I agree that your team should function well together, just not at the expense of your data's security.
So, think of it this way:
1. Can a malicious insider, no matter how unlikely, steal your data?
2. Can a non-malicious insider bring a threat inside that compromises your data?
3. In either case would you even know if this had happened?
4. Why can it happen?
5. What can be done to lower the risk or impact?Good luck planning for future security projects, don't forget to use the wiki leaks trend to increase your budget for next year.