the changing face of the security landscape those days can be perceived mostly from security vendors reports and news article than from a real understanding of what has changed and what is going to change in the security landscape from security people.
In the enterprise environment there are still the old fashioned procedures and the overall approach upon security needs is quite dated.
But to be able to understand what we need to change and why we need to change our approach would be useful to understand what are all those changes about.
Once upon a time there was a cable
When the cyber security started to enter our world? basically when we started to deal with distributed computing, the introduction of PC shifted the data and it’s process from a single point (the mainframe) to several distributed entity (the PC’s).
the first networks were barely security aware, at the end the need of security was not perceived as something important, the economic impact of the network was not so clear and so the network itself was not perceived as an asset, but mostly as a expense to live with.
But while the OS and application were evolving also the economic impact of network started to change, the need of exchange data and the value of the exchanged data were rising and so the need of security. The security principles has been build ten on that kind of world.
But how were made those networks? Well before the introduction of mobile computing (laptop and so on) most of the security were dealing with a sort of identity: user, computer and network address used to live on the same domain and they were quite exchangeable.
A PC was given to a specific users, in a specific physical location (office and desk) and usually used a specific IP or a an IP coming from a specific range through DHCP.
Since network security was dealing in an easier way with network addresses than with computers or users, the approach was to develop a security culture based on protocols.
With the wide adoption of TcpIp and the internet this culture grown up and specialized.
While security was working on network protocols another aspect was rising, virus comes to face IT world.
The two aspects were quite distinct, and so dealing with viruses or dealing with networks were a completely different job.
But this approach started to show it’s limit as internet and mobile computing were growing as importance. Laptops and internet have been a pain n the ass for lot of security administrators because they were breaking old habits and mostly the equation they always considered truthful security:=network protocols = pc =users.
The introduction of internet and mobile computing forced the administrators to add to the equation at least another component: the Operating Systems and it’s potential flaws. So became quite common to talk about OS security outbreaks, most of them were TCPIP stack related.
What this approach was missing was mainly applications and user behaviors, but since security was perceived as a network element while application and users were related to other process those words were not exchanging information.
What were those new user habits bringing in our networks?
While network administrators were trying to preserve their views of the world, user started to browse the internet, going around with laptops, application started to change and become more complex and pervasive, the amount of sensitive and valuable data were growing exponentially as their exchange.
the old assumption that the computer, user, applications and it’s network address were the same started to vanish.
But firewalls rules were still built on addresses, ports and protocols.
With the growing importance of internet the applications started to change and web services and http becomes the man media to exchange data. Well this is understandable, the internet were the land of marketing, where you would be able to met more people at lesser costs. And the developers were not interested in security, it would make have made coding more complex, and besides the security and network guys were not giving any guidance on it.
Users with laptop started to browse outside company network perimeter, adding personal applications and using the laptop for work and leisure. But mostly they started to work outside the IT perimeter, and to do so used to break the IT security rules that were created for a complete different world.
As an example we can think about the email access, that originally was given only inside the perimeter. that the first webmail were coming out (who has not used Microsoft OWA?). But mail rules were so restrictive that people started to use personal account also for work needs. so if you were in need to exchange a big presentation or a file, or send or receive an exe file you were forced to use external webmail services to workaround limitation made by IT department.
The misconception about security issues were leading to underestimate the impact of email, social engineering, social networking and so on.
While the users and marketing were embracing the new the IT department were fighting the change, but changes are inevitable.
And there was the hacker
As the networks were expanding and opening a new player started to become familiar, the hacker. at the beginning a sort of romantic figure, a sort of lone hero that would prove his ability against the world breaking into systems.
This naïve and quite untruthful misconception of hacking figure was used for a long time in order to underestimate the impact of network security in the IT environment. But with the growing economy related to personal computing the criminality started to understand that there were space to make money.
So hacking form a naïve and heroic figure turned into the nowadays cyber criminals activities. While IT security people were still dealing with ports and protocols the cyber criminals were targeting something different: applications, data and users. SMTP, HTTP and HTTPS started to be the keyhole that were allowing to force security measures.
Browsers and http mails become a security concerns just a little bit too late to address the growing cyber criminal economy. What was not understood (and still many do not have clearly understood) is that cyber criminal activities are driven by money, retaliation or political issue but the target were users. the network was just one part of the equation, not the final target.
While criminality was exploiting new ways to hack data and make money IT infrastructure were quite static.
here comes the smartphone
The last hack to the usual security habits was the recent introduction of the smartphones with browsing capability. now the IT department started to face another issue, not only the number of OS were increasing, not only the point of access were unknown as it’s surrounding, but also the device used were not part of the IT infrastructure, but often privately purchased by the owner and used also for work tasks.
If once there was at last a company laptop used to access company information’s, resources and data, now there is a plenty of device with heterogeneous OS, different security settings, different network entry points and geo location to make everything more complicated.
Security people still have to embrace the change, while cyber criminal already did
To realize that a firewall rule based on source IPport destination IPport and some other detail is not more enough is not an easy process. Bad habit are hard to leave.
There is a series of misunderstanding that are related to old way of thinking that still affect security, if should be clear now that our network model has shifted form a border model to a borderless one the change in criminal behaviors on the internet should drive other significant changes.
First of all we should rethink the idea that IP means host.
Is a common mistake to consider an IP as a monolithic identity, the truth is that an IP could be vehicle of thousands of services, some compromised, some not. an IP is not bad per se, but some of the services is providing could be affected.
Then we should realize that cyber attack tends to target the most easy way: http, https are, for example, good media to spread infection as smtp.
a vulnerability, per se, does not means that we have an high risk, the majority of successful attack comes in forms of spear phishing, drive to download and so on.
also dos attack usually try to leverage higher protocols and application behaviors more than the network per se.
Mobile and home computing dramatically widen our attack surface and so our exposure to risks.
the lower protection we gave to home and mobile computer facilitate cyber criminals work, allowing to find a big amount of easy target that can be used to generate more complex activities. this has been understood by the security environment after words as botnets and zombie become common terms in security literature and news articles.
Just in those last two years press started to realize how big is the issue and started to write on this. we saw just the tip of the iceberg, but last years was officially the year of the botnet and finally security people realized that this is not a problem related to just home computers.
The target is mostly the user and it’s way to use the devices. Quite all the recent attacks that raised the news attention, from RSA Hack to Epsilon one, just to name two, used humans as Trojan horse. the human component in the security process cannot be underestimated anymore.
Concepts like user aware security rules, and context aware security rules should become common to anyone.
This does not means that the old approach is useless, but simply that it was not enough.
What we should expect now?
Consumerisation of browsing devices, the enterprise use of personal device, the growing mobility needs of the workforce is a trend that would not be stopped.
But there are two other breaking points that are coming and will give headache to security people: cloud adoption and IPv6.
We can easily understand why cloud is a concern, it force us to rethink our monitoring process and rethink our procedures. who will manage my data, how my data will be secured, how I can avoid lock in, how easily I can change provider, how will cost the personalization… are all great question.
what will bring IPv6 adoption is possibly even bigger, and will impact heavily networks.
IPv6 require to rethink our IP networks, is not just a matter of the extension of the address space, that is a problem per se.
Concepts like NAT and PAT will disappear, the coexistence of a dual stack (IPv4 and IPv6) have to be managed, migration of applications have to be considered. There is a wide impact also in performances, the management of the new headers is more difficult since it is not structured as it is in ipv4.
And beside the fact IPv6 suggest the use of IPsec for node to node transaction is quite difficult to imagine that all internet transaction will use it. Not to mention how relevant will become DNS resolution inside and outside our networks. DNS I widely used for cyber attacks and it’s structure and lack of security has been underestimated for a long time.
Even now most of the internet generation does not understand how relevant is DNS resolution in browsing experience (and timing).
So we will have to rethink again our dogma on security and we will probably discover some other epidemic we were not considering.