(ISC)² Congress 2013: Infosec Must Expand Testing to Keep Pace with Attackers

McCormick Place in Chicago, Illinois
McCormick Place in Chicago, Illinois

“Every single year, the only thing we can count on in security is getting worse at it”, said Chris Nickerson, founder of Lares Consulting. He added, “not only do we get worse at it, we spend more money on it every year.” He likened the trend to the world’s worst stock investment – continuing to buy shares as the value endlessly tumbles.

Nickerson, however, said the problem is not a lack of effort from information security professionals or industry consultants. “We get up every morning, roll the rock up the hill, know that it’s going to fall over us, and then wake up the next morning and know that our job is to roll the thing back up the hill”. This never-ending process makes infosec professionals “some of the toughest people” in the IT industry, he contented.

Why does security get worse while continuing to spend more each year? Nickerson blamed information security vendors and their salespeople, and pointed to technologies like firewalls, anti-virus and data loss protection (DLP) suites as being old offerings presented in new packages. The technologies themselves, he asserted, are getting worse as well.

He reserved special criticism for DLP. “What does DLP do?”, Nickerson asked, adding that vendor pitches typically say that it “finds sensitive stuff”. But when queried on how DLP works, Nickerson mused that apparently it was by “magic.”

Furthermore, the places where organizations do spend money on technologies tend to focus on compliance-based needs (think PCI’s anti-virus requirements), rather than on defending against where the majority of attacks come from, such as web-based ones.

“In security, we get tons of solutions, but they are just postulates – there is an assumption that they are going to work. We know that they work in a lab somewhere”, Nickerson observed. The problem with this approach is that it works fine against the straight fastball, but what happens when the security technology is pitched a curve?

“We have this expectation in electronic testing that we are getting real-world testing, yet we remove all of the [factors] that allow it to be real world”, he said. Most penetration testing, he added, “lulls us into a false sense of security”.

A key lesson Nickerson imparted was that infosecurity professionals should not rely on their vendor’s assurances, or those of the testing labs. Attackers, he proclaimed, will certainly operate outside laboratory conditions, so security pros must approach their jobs and the technology they employ from the perspective of their adversaries. “Our job is to protect assets”, Nickerson said, regardless of whether that asset is a person, a physical space, or information.

Physical security vulnerabilities provide a significant conduit to information compromise the Lares founder noted. A seasoned physical security expert, Nickerson said that most organizations do only half of what is necessary to secure their facilities – they understand security “from an observational standpoint”, and apply case studies for visual security assessments. “For the most part, that’s where it stops – we look at the people, process and procedures that should be followed”, but what many organizations fail to do is verify that these same people are actually following the established processes and procedures. “At that’s where the gaps exist”, Nickerson proclaimed. “When it comes to physical security, we are really good at testing design, but testing effectiveness is typically not within our scope.”

The deficit in physical security that protects information assets usually lies not in the technology, but rather in the people responsible for enforcing the policies and procedures, Nickerson said. And where organizations fall short is testing for social engineering scams that are designed to compromise physical safeguards and subsequently lead attackers to information assets. His experience in this area has shown that exploiting the social aspects of physical security is far easier than most organizations believe, and social testing goes beyond simple mock phishing tests that some organizations have started to deploy.

While not all threats can be mitigated or tested for, Nickerson said a “converged” approach to security testing that incorporates physical, electronic, and social aspects will lead to improved return on investment for security programs, and perhaps allow information security professionals to gain back some of the ground they have lost each year.

To defend against today’s adversaries, he contended that industry professionals must expand their skill set to keep pace, and go beyond developing expertise in protecting more than just electronic information assets. “We are a professional entity”, he told the audience, advising they must think of themselves as needing to train like a professional athlete would, “at the highest possible level. We are no longer training to fight, we are training to fight someone extremely specific.”

What’s Hot on Infosecurity Magazine?