What on earth are we spending our infosec

budgets on?

Houston, we have a problem

In 2000, the FBI estimated that businesses worldwide lost $1.5trillion. The New York
Times reported computer misuse losses topping $7billion in 1999. In February 2000,
distributed denial-of-service attacks resulted in loss of several million dollars. Victims
included Amazon, E*TRADE and a number of high-profile, high-tech organisations
that we would have expected to have “known better”. Losses averaged $1,103,000 per
company, according to the Computer Security Institute/Federal Bureau of
Investigation (CSI/FBI) Computer Crime and Security 2001 survey1. These losses
have increased, up from $970,000 average per company reported in a similar survey
conducted during 2000.

Whatever we’re spending on infosec, it isn’t working. We need to rethink the strategy
and architecture of our critical information infrastructure in the organisation, how we
are using it, and the threats, vulnerabilities and controls inherent and required by our
business and operational processes.

Let’s look at some more statistics. 82% of attacks are attributable in some way to
insider threats – employees that are either coerced, duped, or bribed into assisting (or
at least, not preventing) an inside attack. One of the key problems with employees is
the ease of access, required by the normal day-to-day tasks of the employee, that may
be abused by an unscrupulous member of staff. Although there is evidence to show
that the ratio of attacks is shifting towards the 60:40 region, this is due to a startling
increase in the number of external attacks, and not a redunction in insider activity. In
fact, insider activity is also increasing!

1
see www.gocsi.com/fbi_survey.html for more information
 30
25
20
Insider
15 m isuse
10 External
intrusion
5
0
1998 1999 2000 2001

What does my firewall actually do?

A firewall is a barrier between two different trust zones – for example a training
laboratory will be separated from the main enterprise network. Commonly firewalls
are found separating the corporate network (as a whole) from third party networks
such as the Internet, however it is becoming more common for enterprises to choose
to limit access to sensitive systems, such as HR, financials, and critical production
systems – there is a very recent story of a disgruntled journalist who logged onto his
desktop publishing system, and ensured that the column letters of a front page story
spelt a rude message to his managing editor!

Firewalls are layers of defence in the corporate “fortress” mentality, and there is a
common belief that the more layers you have, the safer you are. This is despite the
fact that in order to use the network you are firewalled from, you need to create safe
pathways for your data across the firewall. “How do you know who and what are
using the pathways” is an interesting question!

Using the fortress model, it is also common to see that where there is a perceived
security threat, the common response is to add another layer. This is laid down as
official policy in a wide variety of organisations, including some very security-
minded ones, who ought to know better. If an attacker can bypass one layer, bypassing
two is a simple exercise in time.

Another model – the high street bank

The best analogy for the modern information-connected enterprise is the high street
bank. The doors of the bank are open to allow customers to do business during the
day, and locked at night. During the day, customers are welcomed into a public area
called the “banking hall”, which is not only protected by gates, grilles and bulletproof
glass from the outside world, but also has similar protection between it and the area
where banking staff work, and where valuable assets (such as money!) are stored.

Banks know a lot about physical security – they’ve been in the business for many
years now. One of the things that is observeable about a bank is its “fortress layers”.
Doors are strong, with secure locks. However, there is a recognised point at which
there is no point whatsoever strengthening the door, and this is the point where it is
easier, quicker, and quieter for an intruder to drive through the wall. To allow a rapid
response to security incidents, a number of measures are deployed to watch the
movement of customers in and out of the bank, and to warn security managers when
an unexpected attempt is made to enter without proper permission.

We need a burglar alarm for the enterprise network. Winn Schwartau said in Time
Based Security that “the fortress mentality is dead”. Certainly one of the issues
appears to be that without an effective threat monitoring system, the effectiveness of
the firewall is limited. Time to think about Intrusion Detection Systems.