Managing Network Security

How Good Do You Have to Be?

Copyright(c), 1996, Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs have increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Two Birdwatchers in the Jungle

Joke: Two birdwatchers are in the jungle. The couch potato asks the athlete: What will you do if we encounter a tiger? The athlete one answers: Run away as fast as I can. The couch potato replies: But you can't outrun a tiger! to which the athlete responds: I don't have to outrun the tiger, I only have to outrun you!

Today's information environme nt is target r ich. It would seem to follow that, if you have a moderate amount of protection, the attackers who try simple attacks and fail and will then go on to the next defender.

Business is competitive. If you have a better information protection program than your competitors, it should be a business advantage. For this reason, it may be more important to develop a protection program comperable to or better than competitors than to develop a really excellent program.

As a practical matter, you get a competitive analysis by using a standard measure such as that provided by the European Security Forum Security Status Survey or by contacting an experienced consultant and asking them to compare your protection techniques to comperable ones in similar industries. (It would be a conflict of interest to do a direct comparison to competitors they have worked for.)

Two Birdwatchers in Heaven

Joke: After being eaten by a tiger, the couch potato is waiting at the pearly gates when along comes the athlete close behind. With a last recollection of seeing the athlete sprinting out in front and smelling the tiger's breath, the couch potato greets the athlete and, after exchanging pleasantries, asks: What happened? When I was killed, you were way out ahead of me? to which the athlete responds: There was another tiger.

Just because you are not quite as easy a target, that doesn't mean you are not being targetted.

If the goal is to stop casual attacks such as those that come from hackers, a small amount of perimiter defense is adequate. For example, a simple firewall at a key chokepoint keeps out most hackers that cruise the Internet By having a regular program of securing gabage, you eliminate their dumpster diving attacks. Add in a reasonable physical security program, train your employees how to avoid perception management, and you have gone a long way toward eliminating the hacker threat.

But is that the right goal? According to the American Society for Industrial Security's 1992 and 1995 studies on industrial espionage, only 40 percent of detected incidents are perpetrated by outsiders acting alone. The other 60 percent of detected incidents involve either an insider acting alone (40 percent) or an insider acting with an outsider (20 percent). Similar results have been published in the Computer Security Institute's study in cooperation with the FBI and in many other studies.

Even if you do a perfect job of securing against outsider threats, you are only 40 percent of the way to a solution. Most insiders target you to the exclusion of your competitors.

A Tiger in the Jungle

Joke: A few hours later, the same pair of tigers are sitting in the jungle watching two other birdwatchers having a conversation. After making arrangements with his mate, the male tiger charges toward lunch. One of the birdwatchers runs away more quickly than the other, so the male tiger jumps at the slower target as his mate circles to get the faster one. Just as the cat leaves the ground on his final spring the slower birdwatcher spins around, points a bamboo spear at the tiger's heart and mortally wounds him. As the tiger is bleading to death, his eyes show his astonishment, and in a last act of mercy, the couch potato explains: We were watching those other two birdwatchers a few hours ago and I figured that a spear might work better than running.

If you can't outrun the tiger, you'd better try something else.

No information protection plan is perfect, but successful plans tend to be adaptive. In the more successful programs, there is a strong tendency to actively watch for changes that may effect protection and react to them in a sensible way. This commonly includes: idenitifying (1) changes in organizational dependencies on information technology, (2) new threats, and (3) newly discovered vulnerabilities; evaluating whether the current protection plan is still fully effective; and modifying the plan to put more appropriate protection in place when it is found to be lacking.

A Tiger and a Birdwatcher in Heaven

Joke: As the tiger's eyes close, he shows up in heaven, and as he is waiting at the pearly gates for his mate, along comes the second athlete. He is pleased to know that his mate survived, but he is also astonished that the athlete died when the couch potato survived. The tiger greets the athlete and with his newly developed heavenly voice asks: You knew what we did to those other people and you knew how to make a spear. How is it that you didn't kill my mate? to which the athlete replies: I wasn't sure you would attack me, and making a spear meant I wouldn't get as many pictures of the blue-bellied wobler, so I figured you might not come and that if you came I'd just try running a little faster than that other athlete.

If you're in the jungle, tigers will come. No matter how good an athlete you are, you still can't outrun a tiger.

In a changing world, those who fail to adapt fail to survive. The world of information technology is changing at a rapid rate, which means that we must also adapt at a rapid rate if we are to survive. If you don't keep track of emerging attack technologies, it is highly likely that you will soon become vulnerable to them. If you are networked to the rest of the world, it is almost certain that attackers will come. There are some examples of attackers breaking into systems within minutes of the first connection of those systems to the Internet. As an example, an attacker broke into and modified information on the French government's first Web server within 10 minutes of when it was first connected to the Internet.

Within the last few months, the U.S. Department of Justice and the Central Intelligence Agency have had their Web servers substantially modified. According to my sources, in both cases, they decided not to bother protecting those systems for whatever reason.

Proposed joke: Q: How many Web servers have to be broken into and modified before we properly defend them? A: All of them.

Another Birdwatcher in Heaven

Joke: A few hours later, the last birdwatcher arrives in heaven, spear in hand. The second athlete sees him and, surprised that his friend is dead, asks him what happened. The last birdwatcher explains: I was waiting at the edge of the river watching the forest with my spear waiting for a tiger to come out, when a crocodile jumped up behind me and ate me.

Even the best tiger defense won't protect you from crocodiles.

In today's highly networked computing environment, new attack scripts are widely published several times per week. Full details, often including source code for attacks, are distributed throughout the Internet and, in a matter of minutes, are available to attackers and defenders throughout the world. Defenders who are doing a good job are always watching for new attack scripts that effect their environments and verifying that their current protection systems defend successfully against those threats. But not all defenders follow this path to protection.

I know of two very similar organizations that are only mildly in competition with each other and often work together on projects. One of them is highly attentive, adaptive, and often proactive, when it comes to information protection, while the other is always a few steps behind the attackers. The attentive one has never taken a substantial hit and has always been able to limit and identify the extent of damage when attackers found some minor vulnerability. Protection problems at the less attentive organization are often written up in the newspapers. Even more often, they are successful and only identified long after the fact.


How good do you have to be?

In information protection, the devil, as they say, is in the details. Successful defenses tend not to rely on a few clever tricks. They tend to rely on a steady long-term effort at constant improvement and adaption.

Being just a little bit better than the competition is probably not much of a competitive advantage, but every little bit helps.

About The Author

Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at