Re: Hacking: As American as Apple Cider

["Hackling, Matthew (AU - Melbourne)" <mhackling () deloitte com au>]

After reading Marcus's The Six Dumbest Ideas in Computer Security and
especially #3 and the minor dumbs the main reason for poor computer
security came up in my mind...

 

ECONOMICS!

 

An organisation's/vendor's security spend and hence implementation of
security controls is dependent on their risk appetite.

 

For example I was amazed that one of my manufacturing clients told me
they could deal with their computer network being out of commission due
to a network worm for up to 3 days.  But their point of view started to
sink in after they explained that it was more cost effective for them to
lose their network once a year for a day or so rather than spending
multi-millions on buying new routers to implement network segregation,
thousands of new PCs so that they could implement a standard operating
environment, and upgrading their WAN links to enable managed patch
deployment.  This client had an aggressive risk appetite.  

 

Whereas a bank I work with told me that they could estimate the
multi-million dollar change in stock price that would result from a
media report of any outage of the financial system we were working on.
Hence they spent a lot of effort on security testing, security
technology, redundancy etc.  This client had a conservative risk
appetite.  

 

I often work on security testing for online banking systems for banking
clients, where we perform security design review and acceptance testing.
On a $50M project we can usually expect a $400K engagement.  That's less
than 1%.    

 

Now take for example a vendor of an application/operating system etc.
Their business model is to spend $100M on developing a product, $100M on
marketing, shrink wrapping the product at a cost of $10 per product and
sell it 1000000 times at a cost of $1000 until it makes $1000M.

 

Now what will make their product more marketable, sitting on a shelf?

 

More features than the competition?

 

Or 

 

Better security than the competition?  

 

Who will get the finite amount of developer time allowed by the budget?
New features or securing old features?

 

Their security can't be so bad that no-one will buy their product, but
having average of less than average security will not financially
disadvantage the vendor.

 

And when you have a monopoly where only one vendor dominates, there is
no financial incentive for innovation or for improving security.

 

Now a vendor is going to have the most aggressive risk appetite of any
of these organizations!  They don't have anything to lose!   So one out
of 1000 customers want a refund because of a security problem, no
problems, the product will still deliver on budget.  Most customers will
just wait for a patch, that will take a few hundred hours to put
together, in down-time between releases, so "penetrate and patch" makes
economic sense for them.

 

 

Minor dumbs...

 

"Let's go production with it now and we can secure it later" - no, you
won't. A better question to ask yourself is "If we don't have time to do
it correctly now, will we have time to do it over once it's broken?"
Sometimes, building a system that is in constant need of repair means
you will spend years investing in turd polish because you were unwilling
to spend days getting the job done right in the first place. 

"We can't stop the occasional problem" - yes, you can. Would you travel
on commercial airliners if you thought that the aviation industry took
this approach with your life? I didn't think so.

 

# 3 Penetrate and Patch

"One clear symptom that you've got a case of "Penetrate and Patch " is
when you find that your system is always vulnerable to the "bug of the
week." It means that you've put yourself in a situation where every time
the hackers invent a new weapon, it works against you. Doesn't that
sound dumb? Your software and systems should be secure by design and
should have been designed with flaw-handling in mind."

 

 

 

Matthew Hackling B.Sc. (Security) CISSP

Client Manager

Security Services Group

Deloitte

Direct: +61 3 208 6610

Fax: +61 3 208 7001

Mobile: +61 402288599

mhackling () deloitte com au

www.deloitte.com.au

 

180 Lonsdale Street

Melbourne

Victoria

 



This email and any attachments to it are confidential.  You must not use, disclose or act on the email if you are not 
the intended recipient.   Liability limited by a scheme approved under Professional Standards Legislation.  Deloitte is 
a member of Deloitte Touche Tohmatsu (a Swiss Verein).  As a Swiss Verein (association), neither Deloitte Touche 
Tohmatsu nor any of its member firms has any liability for each other's acts or omissions.  Each of the member firms is 
a separate and independent legal entity operating under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche 
Tohmatsu", or other related names.  Services are provided by the member firms or their subsidiaries and affiliates and 
not by the Deloitte Touche Tohmatsu Verein.