A bleak picture of IT security metrics and fighting malicious attacksDate: Dec 11, 2013
Eugene Spafford was the first to analyze the Morris worm, the first known Internet worm, and has since become a well-known security adviser. Currently the executive director of the Center for Education and Research in Information Assurance and Security, and a professor in the department of computer sciences at Purdue University in West Lafayette, Ind., Spafford recently sat down with SearchCompliance Editorial Director Christina Torode at the ISSA conference in Nashville, Tenn. There, he painted a somewhat bleak picture of the security industry's battle against malware since the late 1980s, including the lack of IT security metrics that justify much-needed security investments to counter business risks.
We have more malicious attacks and more threats today than when you did your analysis of the Morris worm. What have we learned, and what have we not learned?
Eugene Spafford: I don't think we've really learned a lot from the experience in 1988 when the Internet worm really hit what was then the Internet, much smaller at the time. It was notable because nothing like that had occurred before. And at the time there were only about 20 computer viruses total that were in the wild that we'd had problems with.
We should have learned a number of things then about the way that we built defenses on networks, the way that we constructed systems to be proof against malicious software, the way that we responded to incidents when they occurred. And we didn't really learn any of those things. So, if you flash forward to today -- I contacted people at McAfee and Sophos, and they provided me with some of their numbers -- we currently, so far this year, are to the point where we have about 180 million known signatures from malware out in the wild that has been seen over the last 25 years, and new ones coming in at about a rate of 8 million a month, 2 million a week.
That's incredible but not newsworthy. We hardly mention that. In fact, those numbers are probably a surprise to most people because they just get the updates to their antivirus programs and then they don't notice what's going on. There are literally hundreds if not thousands of botnets and other kinds of network malicious software that are out there, in the background all the time, sending spam, planting password-stealing information, stealing banking information. If we had learned some lessons 25 years ago, it wouldn't be anywhere near that bad now. I really don't think we've progressed much; if anything, we've regressed.
Sounds pretty bleak. So, what can security professionals do? Is there something they can do on the technology side, or is it more best practices? Any recommendations?
Spafford: Well, I think we can make things better on all those fronts. Part of the problem is that I really don't believe that security is taken seriously. We still have a case where people are not willing to invest in appropriate security measures. They aren't willing to invest in technologies that could make things better if it requires doing away with some of their legacy systems and software, because they have an investment there. So they've made that choice: that the cost is too high, that good security is not worth that expense. They don't state it that way, but that's basically what happens. So, part of that practice that could change is to raise that awareness, that that choice is being made at pretty much every level.
We could do a better job with some of the research and technology aspects by looking at different technologies, some of which are known, some of which could yet be discovered. That would change things drastically. To do research on systems that might require using something other than Windows and Linux as a background might make things better -- something other than depending on firewalls and entry detection and antivirus as patches.
That's another thing that professionals could do is start insisting that systems don't need patching, on systems that don't need patching, that they would be willing to pay for that. They would be willing to pay for systems that are secure by design, rather than assuming that patching is the way to go for better security.
So, there's a whole range of things that could be done better by just changing the way that we look at the field rather than constantly responding to threats, instead trying to get out in front of them and prevent them from occurring.
It's interesting that you say that it's not being taken seriously and people don't want to spend the money. I know that, in talking to a CIO, he was saying that it's becoming more common for the board of directors to actually listen to him now when he talks about risks to the company, but are you not seeing that? What is preventing the board really from acknowledging that this is something we need to spend money on?
Spafford: Part of the problem is we don't have any good security metrics. It's really difficult to quantify the risks in a way that business people who don't have a background in the area are able to say, 'For X more dollars spent, we get this additional margin of protection,' because we don't have a way to measure that margin of protection. We don't have any good ways of actually measuring what the danger is or what the effectiveness of mechanisms are. That means that even if attention is being paid by a CEO or board to the CIO or CSO, they don't have a good way of presenting the case in a dollars-and-cents fashion that's going to make the case as to what needs to be done.
Have you seen any companies come up with a way to measure this at all? Ones that are putting IT security metrics in place?
Spafford: Not with any fidelity. There are some that are able to do large-scale, ballpark kinds of measurements, but those are not metrics -- they're measurements that basically say, 'We had this many break-ins this year, we have this many next year, this is what our peer group is facing' -- and those aren't really formal security metrics. Those are saying, 'Well, these are our approximations.' It's still the case that we're much better able to measure megabytes and dollars than we are able to measure effectiveness -- resistance against attack.
Is there a particular technology trend that's opening organizations up to more security threats?
Spafford: Well, I think there are multiple technologies as we move forward and that's always been the case with the introduction of new technologies. The market moves those technologies before thinking about the impact on not only security but on privacy as well. So with big data, there are certainly some issues on security but also on privacy having to do with how that information is combined and mined.
The move towards cloud storage has all kinds of vulnerabilities associated with it that most people haven't thought of because it's the latest buzzword. So, [people think] we'll move to the cloud and we'll save money, but they don't think about the fact of where is that located? What are the laws and the jurisdiction over where that's located? How are those systems actually protected?
The newest technologies that I see at risk -- and they're not necessarily new technologies -- involve distributed sensors of various kinds: cameras and sensors of all sorts that are on the Internet and that therefore can be used for information tracking. Finding information that is unintended by whoever put them out there. And also, this trend towards increased mobile computing.
The ads that are appearing now for basically a cell phone in the watch ... where is the thought
given to what happens when these smart devices on our belts or our wrists are broken, or lost, or
stolen? And all the information on them is either gone or in somebody else's hands. Those kinds of
issues don't seem to be addressed by the vendors of those items or in the press coverage of their
introduction. And that's a problem for the end consumer because they're not in a position to think
about it, either.
Let us know what you think of this story; email firstname.lastname@example.org.