Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
You heard it here first. Way back in May of 1996 I wrote an article for the Internet Holes series titled "Eliminating IP Address Forgery" in which I discussed and demonstrated simple and efficient ways to eliminate IP address forgery. But it is only in the past few weeks that the Internet community has finally started to adopt these strategies on a large scale.
I don't know whether it was a side effect of my recent congressional testimony and rather pointed debate in that forum with the gentleman from Sprint - or a side effect of the recent increase in DCA denial of service attacks and the article I wrote on that for the last issue of this magazine - or perhaps it's something else entirely. But for some reason, in the last day, I have gotten two major notices - one from the SANS institute and one from the ICSA. The SANS article indicated details of doing router filtering (without proper citation of course) that follows fairly close to my 5-year old recommendation, while the NCSA is now giving away a product to detect cases where your part of the infrastructure is being used to forge addresses.
It seems that eliminating IP address forgery is now all the rage because it is now affecting enough people who are important enough to get the whole Internet to take action. And it is indeed gratifying to see this - despite the frustration I suffer over the lack of citation to my original paper on the subject and my firewalls course that has covered this subject in detail for the last five years.
In looking back on some other more-than-five year old work, I am starting to see more and more of it adopted. I am now talking to an anti-virus company that is ready to start using integrity techniques because the cost of keeping up with the 80,000 new viruses per year is simply too high for the amount you can make on your anti-virus product in today's market. Lightning rods and deception systems similar to those used over the last ten years by those at AT&T and elsewhere are starting to be embraced. Even trusted operating systems are now being increasingly selected for commercial use, and they have been studied and funded by the NSA for more than 20 years.
Indeed, it seems that information protection technology is now only 5-10 years behind the research and development in the field, and while time to market has dominated the rest of IT for a long time now, it seems that the same notion has finally caught on in information protection. I can foresee the day when I will not have to wait more than 2-3 years between publishing a working defense and seeing somebody else adopt it as their own without citing me or even paying royalties. But we will get back to this in a moment.
I read a recent article that claimed that information security lacks innovation. To me this is a classic case of somebody who doesn't know what they are talking about saying something foolish. If we look at almost any aspect of information technology, we see the claim of massive innovation, but in reality, almost everything we see in IT today was available in a very similar form 15 years ago. There are some exceptions. For example the palm-top computer first existed only 10 years ago (the HPs have been around that long) and today there is a booming business.
There are, of course, small innovations that make an evolutionary difference in technology - such as the screens that allow the palm computers to operate on a pen-based interface - but touch screens and pen-based input have existed for more than 30 years. The technology is continuing to make many step-wise improvements, and the combination of these improvements do produce very substantial change - but innovation? Hardly.
In my view, and in a relative sense, information protection is not lacking in innovation, it is lacking in adoption of innovation. There are many reasonably good innovations that incrementally improve protection technology and, in the aggregate, they will have a very substantial effect. For example, network security management techniques, improved anomaly detection, the elimination of address forgery, the availability of programs that detect buffer overflows in software, deception-based detection and response, small and highly effective biometric devices, secure communications capabilities, improved firewalls, and new response technologies for collective defense are all examples of recent innovations that are moving into the market and having a substantial effect.
We see supposed innovation being adopted by those who don't know enough to know that the same ideas were explored 15 years ago and were found inferior. But we see fewer of the really innovative solutions that avoid the historical pitfalls adopted - largely because of a mismatch between the people who really know the science and the folks who are driving the market.
While a lack of scientific understanding is not so important in selling the newest brand of toys, and you can be highly successful in the market with a scientifically inferior product (even if they products are equivalent from a standpoint of how well they will work in an organization), security products that are effective are rarely as sexy as those that you can market easily.
In the security field, the lack of strong education in support of the field, the lack of educated educators in the field, and the lack of respect for historical results are leading to a crisis of integrity.
Yes - that's just what I meant to say. The people who are in the information protection business today - as well as many in the research community - lack integrity. The loss of integrity in any field is a bad sign for its future, but in a field in which there is a high priority on achieving integrity in results, a lack of integrity in researchers is scandalous at best.
Here are some examples of recent items in information protection that I think demonstrate the collapse of integrity in this field and represent a dangerous step for the field and its future.
The l0pht gang has now made a deal to go 'legitimate' and is getting lots of good press. One of their recent 'security innovations' is a 'war dialer' attack tool that runs on a palm pilot. According to their web site:
That vulnerability is completely theoretical." -- Microsoft L0pht, Making the theoretical practical since 1992
This is only one of many examples of this sort of
'conversion' for money. Many of these groups have strong ties to
previous criminal activities and criminal or marginal groups. l0pht for
example is closely linked to cDc and other groups, has shared membership
with some of those groups, shares facilities, co-writes attack code, and
so forth. The ongoing publication of attack programs and sale of
defenses against them to customers is - in my view - extortion at least
- and operation of a criminal enterprise is not out of the realm. The
publication of access codes to government sites by such organizations
violates laws as well and many of these sites publish these openly. If
the security community buys from these folks, they are making a big
The widespread use of published material belonging to others without consent or even notice of copyrights has become endemic in the security community. We commonly see web sites with thousands of copyrighted documents taken without permission of the copyright holder and provided as part of a 'security' site. In some cases, citations and copyright notices have been stripped out of these documents - while in other cases the documents are simply copied without permission and made openly available.
At the same time, some people are trying to go too far
in copyright protection. For example, the British Standards Institute
tries to prevent summaries of its standards from being published - even
as part of scientific discourse and academic commentary. This is
clearly beyond the scope of the fair use provisions of copyright law.
Similarly, many companies end up suing people for including a link from
one web site to the other. They seem to assert that the use of a
Universal Resource Locator (URL) is a violation of their copyright.
Please don't hesitate to use / in your web sites. You
should not try to use other URLs within the site, however, because they
are subject to change and are thus less reliable.
The terminology of our field is created for marketing purposes rather than for clarity of communication. For example, recent 'distributed denial of service' attacks were characterized several years ago in published papers under the name 'distributed coordinated attacks'. Whether it is a lack of bothering to review the literature or a desire to 'make a name' by creating a new term, the failure to use recognized and previously published terms of art and build upon them destroys the scientific base, undermines the work of others, and slows progress in a field. Some of this is also related to the lack of willingness of US researchers to recognize contributions of the rest of the world. For example, the IFIP TC-11 journal "Computers and Security" is and has long been the premier journal in this field but it goes largely unread and ignored in the US because of the misled belief that the IEEE and ACM are somehow ahead of IFIP - even though they are both members of IFIP and thus endorse the IFIP journals - and even though they are at least ten years behind IFIP in publishing a refereed professional journal in the computer security arena.
At a minimum, people should do their homework before
publishing articles and cite previous work. I'm not asking people to be
perfect - just to use due diligence. In other words, don't assume that
you are the first person to come up with any idea you think of. The
vast majority of them have been explored before and building on previous
results may save you 15 years of unnecessary failures while recognizing
the work of others and perhaps avoiding their wrath.
Metrics in this field are created for marketing and not for clarity. I have complained a lot about the lack of metrics and poor metrics used in this field, so I figure I may as well add to the list here. The typical metric for a security product is along the lines of 'catches 90,000 known viruses' or 'detects 147 different known network vulnerabilities'. The big problem is that this tells the buyer almost nothing of interest and it has no scientific basis whatsoever.
Why does it tell you nothing? Because the terms in use are not commonly understood and because how many are caught is only relevant in terms of how many their are and whether you are likely to encounter them. Different firms call different things viruses, and count them differently. Some count all Jerusalem variants as one virus - others count each mutation of the mutating engine a different virus. The same is true of vulnerabilities - which more often than not are only potential vulnerabilities and not even real vulnerabilities. And none of them clearly indicate what portion of the published set of viruses or vulnerabilities they cover - or the rate of new members of that set and how quickly they keep up with the new ones - or the fact that there are infinite numbers of potential viruses and vulnerabilities waiting to be written. It's like piling up dirt in an effort to reach the moon. Each shovel gets you closer, but you will never get there that way.
That should be enough examples to get you started, and I hope I have made my point clear. As a field, information protection lacks integrity today. But...
I don't mean to say that everybody working in the field is a fraud or fails to do their homework. In fact, many legitimate researchers and developers do a fine job of building real capabilities and doing the background work necessary to do the job well. I think that the commercial interests and businesses just don't pay attention to the legitimate researchers and are paying the price day after day.
This is not to say that the legitimate folks are very good at marketing - generally they are not. But they are very good at understanding the implications of technology and particularly at finding the flaws in proposed technologies. This is not the same as vulnerability testing or white hatting a system after it is built - it calls for understanding of the limits of technologies - something we seem to ignore at our own peril more and more these days.
The solution to this worsening problem, in my view, was outlined in my written and verbal congressional testimony. To quote:
As it turns out, the issues of management and technical ignorance of information protection, poor attribution and unlimited anonymity, low assurance system bearing high valued burdens, legal and politically forced changes without proper consideration of risks, misestimates of threats, and misunderstanding of the implication of consequences on risk management are all quite closely related. They all relate to a lack of education in information protection throughout a society that is rapidly entering the information age. This should not be unexpected, but it is a serious problem that must be addressed before most of these other challenges can be met.
This very subject was discussed only a few weeks ago at the Workshop for Educators in Computer Security (WECS). One of the things we generally agreed upon was that there aren't enough educators to educate the number of people in need of education. And even worse, most of the people being educated are not going into education, so the educators of today are not educating the educators of tomorrow. To make the problem still worse, many of the best current professors in this area are approaching retirement, and much of the historical work in this field is being ignored by recent graduates. This means that, as a profession, we continue to repeat the mistakes of 30 years ago out of ignorance. There are many other limitations in our educational institutions that will not be solved for some time, but fortunately, the Internet offers a unique opportunity for education in information protection. Institutions like the University of New Haven are starting to take up this task, and I am proud to be associated with this effort.
If I were to select two things that will have the greatest effect on the future of the United States in the information protection area, they would be the education of our young people and the simultaneous movement toward a scientific basis for information assurance. These things go hand in hand largely because, as the old saying goes, you never really know a subject until you have to teach it to somebody else. Most people believe that university education has contributed substantially to scientific progress, but one of the most important reasons that scientific progress is tied to university research is that the university researchers get a constant stream of fundamental questions and interesting new research ideas and assistance from their very intelligent students.
Consider this. The need for computer security expertise is so great today that the average wage for an experienced consultant working for a security consulting firm is now on the order of $200,000 per year. The fees charged by major consulting firms in this field start at $3,000 per day, and some of the best groups now charge more than $8000 per day. The only way to reverse this trend it to change the supply side of the equation.
I am anxious to see more and better education in information protection and I am actively working toward that goal. I would like to see many of my readers follow this line as well - in whatever way you can. Here are some things you can do:
Support continuing education in information protection both for you and your team members. This helps build more internal expertise.
Team with educational institutions to build better programs. They will be glad to service your needs and you will get more and better new employees.
Whenever you get a report or other content that looks interesting, check for citations to previous work. If there are none, be very suspicious that the author was unaware of it. If there are citations, look them up and read them. You will have a far better understanding of the value of the report.
When you support research and development, build an external advisory board using recognized experts. If your people don't know what the advisory board members know about their research area, get your people educated by your advisors.
Last but not least, support education in any way you can. Teach a junior college class at night, or help them build a curriculum to meet your needs. It is both rewarding and in your best interest.
About The Author:
Fred Cohen is still exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting /