Assuming our civilization isn’t swept away in a Mayan apocalypse, 2012 will soon give way to a New Year. And, with it, new challenges. To get a sense about what those might be, Paul Roberts called three noted security experts - many newsmakers in their own right - and asked them to gaze into the crystal ball and see what might await us in the New Year. First up is...
Joshua Corman, Director, Security Intelligence at Akamai Technologies - “Do Software Better.”
Josh Corman is no stranger to controversy. As the Director of Security Intelligence at Akamai Technologies, he’s taken on thorny topics such as the rise of hacktivism and what Corman dubs “chaotic actors” as a force in the online security world. Prior to that, as the Research Director for Enterprise Security at The 451 Group and a Principal Security Strategist at IBM’s Internet Security Systems, Corman wasn’t afraid to go after sacred cows, including what he considered the security industry’s unhealthy obsession with regulatory compliance over real security. As a co-founder of the Rugged Software movement, Corman has worked with other industry leaders to promote better and more secure software development practices.
Corman said he hopes that the steady drumbeat of news about sophisticated cyber attacks and intellectual property theft will finally prompt real change both among policy makers, and within the IT security industry itself.
“I’m hoping we start thinking more systemically,” Corman says. “What’s happened is that the public discourse and revelations of more than a breach a week from state sponsored espionage or ideologically motivated chaotic actors has made your neighbors more conscious of hacking and cyber security. That’s stimulated a number of responses in the public discourse. For example, there have been a number of pieces of legislation written, though none in the House and Senate have passed. But you now have policy makers thinking about the issue and talking about things like the “hemorrhaging of trade secrets from the U.S. economy” and the “largest transfer of wealth in human history.” Some of this is war mongering, but some if it is understating the reality.
“So what happens with more pervasive, mainstream recognition is that you’re going to have more security, but not better security. I had a mentor once who said ‘sometimes when you want it done badly, you get it done...badly,’ right? There’s this notion that we need to do something. Anything. But I’m pretty sure that’s not the right instinct.”
Corman believes that the security industry, itself, needs to “grow up” - weaning itself from the easy money that comes from playing up fears of cyber threats - the old ‘scare ‘em and snare ‘em routine - and moving towards becoming a more rigorous, evidence based discipline.
“We can’t simply look at this as an opportunity to sell more widgets that don’t work for anybody anyhow because there’s more fear. There are plenty people doing that, but it doesn’t make for better security, just more security. We’ve been begging and screaming for a seat at the table to talk about how to make security better and more scalable - how do we automate it. We’ve wanted to be challenged as to whether our best practices really are. So now I’m hoping for a lot of critical thinking and introspection and experimentation such that now that we have permission from the mainstream, which is saying ‘Hey guys, this is bad, what do we do?!’ I think the sad wake-up call for a lot of us is we don’t know. You don’t see more confidence from the security thought leadership community. What you see is a shift to things like Metricon and (Verizon’s) Data Breach Investigation Report and (Mandiant’s) M-Trends and TrustWave’s reports. We’re desperate to get accurate data and intelligence but we don’t have the right collection mechanisms to get the data we need.”
The result, Corman said, is that the security industry too often gives poor advice.
“We don’t have good data on these things. That’s why there’s talk and rhetoric about data sharing,” he said. “That’s healthy, but even though we’d benefit from a repository of every breach so we could normalize them and turn them into real guidance, that’s unlikely to happen.” Instead, the industry has focused on low hanging fruit: the theft or loss of relatively low value financial data like credit card numbers (PCI) or on personally identifiable information (HIPAA and state laws like SB 1386). For breaches involving less replaceable information, like trade secrets, critical infrastructure and intellectual property, little is disclosed and even less is known.
In the absence of good intelligence, Corman says organizations need to find their own way. A first step is taking what he calls the security industry’s equivalent of the “Pepsi Challenge.” “Can you defend against Metasploit?” Corman asks, referring to the free penetration testing platform created by HD Moore. “In other words: have your security investments been adequate to defend you against script kiddies.” If they can’t, then none of your existing investments have paid off,” he said.
Are we getting better? “No,” says Corman. “Our dependence on software and IT is growing at a rate that is faster than our ability to protect it. For example, we’re putting Microsoft Windows operating system in our cars, and their Bluetooth enabled. We can hack our medical devices like insulin pumps. We’re putting critical infrastructure and control systems directly Internet connected. We’re putting IT on everything and while some people think IT on everything is a dream, I kind of think its a nightmare. If you have a toaster, there’s a certain risk that it will burn your house down. If you put software on it, it’s a vulnerable toaster. If you connect it to the Internet, its a vulnerable and exploitable toaster.”
The more complex the environment, the harder it becomes to defend that environment. The solution? “Find ways to do software better,” Corman says. “That way the software that we’re embracing is more defensible and dependable...or depend on it less,” he said.