As strategic and essential as enterprise security is today, it is still, at its most fundamental level, an afterthought. We take the OS, apps, databases, network controls as they are given to us, and then we try and Band-Aid on top of it the best security we can. We use firewalls and filters and VPN tunnels and encryption to try and limit the damage software vulnerabilities can do. As a practical matter, enterprise CISOs have little choice. Or do they?
The National Institute of Standards and Technology (NIST) last week said that security professionals need to push back and that security needs to be addressed far earlier—and at a much higher level—in everything that the enterprise touches.
"Organizations currently buy commercial components, such as operating systems and applications, and then add on security measures such as firewalls, encryption and monitoring systems,” said a NIST statement. "The new draft discusses concepts in terms of security to reflect how intertwined the cyber and physical worlds have become."
That statement also quoted NIST Fellow Ron Ross describing NIST’s view of the next steps. “But those things do not go far enough in reducing and managing complexity, developing sound security architectures, and applying fundamental security design principles. Many of the engineering-related activities must be done by industry, as consumers can't design or modify source code, or do the other tasks necessary for full-spectrum security. NIST set out to create a comprehensive, engineering-based approach that includes security considerations from the original design throughout the system’s entire lifecycle—including how to retire the system and its data securely."
The statement, announcing a new version of NIST security guidelines, continued to outline NIST’s view of the importance.
"The publication applies security principles to all of the technical processes outlined in the ISO/IEC/IEEE standard. These include such steps as engineering design, system analysis and implementation. In addition, it applies security concepts to critical non-engineering processes involving these systems such as management and support services," NIST said. "The considerations outlined in the NIST publication apply to both modern versions of pre-existing systems, such as manufacturing, and completely new systems, such as environmental monitoring devices and sensors embedded in the physical world and connected to physical networks as part of the Internet of Things."
In so many ways, the NIST folk are dead-on correct. Even the best traditional security efforts today are at a massive disadvantage. Malware—including the nastiest examples—has an almost unlimited number of places to hide and ways to disguise itself. If we can block 99 percent, we're doing well. In what other industry would a one percent failure on mission-critical components be acceptable?
Remember Heartbleed, an especially destructive virus. Its launch was accidental, prompting me to ask two years ago: "If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix. Let's not forget that when Robert Tappan Morris unleashed the Internet Worm back in 1988 -- the first major instance of the Internet crashing due to a worm -- it was also the result of a math error. He never intended to cause servers to crash, but crash they did."
That is essentially NIST's point. Many companies today are doing exemplary work on improving security at the periphery of networks and OSes, but the biggest security holes are hidden amidst tens of millions of lines of code that groups of strangers created. As anyone who has talked with Microsoft's or Apple's operating system technical people know only too well, no one even on those teams has meaningful understanding of everything their own OS can do. That's because there are so many distinct teams of developers working in tandem.
NIST's guidelines suggest a wide range of ways that security can—and in fact must—be prioritized at every level in every OS, app and network control. If security isn't a top priority at those levels, we're simply fighting a game that we have almost no chance of winning.
And NIST's references to IoT security is also spot-on. Bottom line: things are going to be getting a lot worse.
This isn’t all doom and gloom. Given the long odds, there are some extremely well-thought-out security packages out there and these OS holes mean that extensive levels of supplemental security are essential. It's not hopeless, but if engineers and developers take these new NIST edicts seriously, it could easily get a lot better.