“It’s still the same old story: a fight for love
and glory, a case of do or die.” These words, made
famous in the Warner Brothers’ movie Casablanca, remind
us of what U.S. philosopher and poet George Santayana (1863–1952)
once wrote: “Those who cannot remember the past are
condemned to repeat it.”
One of the problems in the computer and network security
space is that we behave as if we have no history. Or, perhaps
we have lost our sense of history.
Either way, we will not learn from our mistakes. We will
spend needless hours going over the same old ground, reinventing
the same old devices.
We see evidence of this in some of the questions that Forum
Members raise, on topics such as buffer overflows, application-level
security, and certification.
My purpose in the space this month is not
to make anyone feel stupid. There should always be room for
questions and answers. One of the primary purposes of our
Forums is for mutual edification and education — and
I mean Members, Faculty, Staff, and Providers. Rather, the
point of this column is to raise some of these already-solved
questions and to encourage us to appreciate the importance
of our history.
Buffer overflows. We probably
all know that they are bad. Buffer overflows are to blame
for a majority of the non-virus attacks on our networks today.
Buffer overflow attacks exploit buggy software (data is not
verified) and allow the execution of arbitrary code (well,
not arbitrary-– code that the “attacker” wants
you to execute.) It must be near impossible to get this right.
It is not impossible, but it takes extra
work, which costs money. People will always make mistakes.
Bad guys will continue to try to take advantage of those
mistakes. Do we remember the Morris Worm? It was the first
attack on the whole Internet. It was not like more recent
memorable attacks (Nimda) only because the Internet was a
lot smaller back then. But some of you reading this have
never heard of the Morris Worm. (Google it!) Do we ask solution
providers to take extra time and effort to test software?
Do we tell them we would be willing to pay more money? Or
do we ask for cooler features?
The need for application-level security. At
the Forums we talk about “Intrusion Prevention Systems” in
the “Monitoring, Detection, and Prevention” track.
At the New York Metro Forum’s Solution Provider panel
last year, a few panelists asserted that firewalls filter
on IP packet header information only. Over the past year,
trade magazines have trumpeted “application intelligence” and “deep
packet inspection.” None of these are new concepts
(unless you consider 1992 “new”). Why is this
important to know and remember?
We have to know what our
security devices can and cannot do. We have to recognize
marketing-speak (or -hype) from something that really is
new. But, we also have to know that we can and should apply
older technology more securely. Use what we have, and have
Do we need application-level security? Sometimes
yes. Does it matter if it is in an old application gateway,
proxy-based firewall, or a new wiz-bang “in-line intrusion
prevention system?” Maybe. Maybe not. But, let’s
start knowing what’s been there already and what has
worked, what has not, and why.
Strong user authentication. As
in “instead of reusable passwords,” some of our
organizations get this. I see many security tokens and smart
cards with digital certificates among Forum Members. Still,
many of us are using reusable passwords. There is a better
way. Security tokens – crypto calculators and one-time
password systems -- have been around for over a decade. Of
course, they still are not as convenient as passwords.
Convenience vs. security. Or
usability vs. security or functionality vs.… They will
always be at odds. Know this up front so that you factor
it into your policies and procedures after your risk analysis.
End users – the people security practitioners support – never
ask for extra security. They never notice when your firewall
is too permissive. (“Excuse me. I don’t think
I ought to be able to do this.”) They ask for “bigger,” “faster,” “more,” but
never “more secure.” That is the security person’s
job. This tension will never go away this side of Heaven.
(But isn’t it nice that there are some things on which
you can count?)
Security certifications. Are
security certifications important? Of course they are. Of
course they are not. Really, it depends. (And you recognize
that those two words are very significant when we are talking “security.”)
Certifications are just fine — maybe even great. This
is especially true if you do not have the opportunity to
expose your knowledge at conferences and in print, or if
you can use them as a reason for further education and career
enhancement. But, certifications are no substitutes for experience.
Every one of us probably knows someone who has a CISSP but
zero practical experience. Or we know people who seem to
be professional “certification test takers” on
someone else’s dollar. It doesn’t make someone
a bad or useless person. But being “certified” and
having experience is not the same thing.
The bottom line on all of this is that our
history is important because it is a source of knowledge
through experience. And the ability to apply knowledge to
a new problem, the ability to know the rules and know when
to break them, is — as Richard Thieme has pointed out
at some of our Forums — what helps us be more effective
in our vocations and exposes the expert as an expert.
Fred Avolio is a member of the Institute faculty. Write
to him at firstname.lastname@example.org.