Thursday, August 16, 2012

Random musings from a discussion with MAD Security's Mike Murray

I had a fascinating discussion with Mike Murray, principal at MAD Security, yesterday at a local ISSA chapter meeting.  In his presentation, and in a one-on-one discussion afterward, he covered a lot of ground, but the two central points that kept coming up are 1: there is a somewhat predictable cycle to the ebb and flow of vulnerability and exploit; and 2: awareness training as most companies approach it is only marginally ineffective.

Mike walked through a brief history of the information security industry, from the perspective of threat analysis and exploitation.  In the early ‘80s, the most exploited vulnerability was the human – for instance, Kevin Mitnick calling up Sun Microsystems customer service and getting them to put source code on their ftp server.  In the late ‘80s to early ‘90s, it was the network.  There was not a lot of valuable content online yet, so DoS and DDoS were the favored attacks.  In the mid-‘90s to early 2000s as the dot-com boom occurred, the attack point was servers and services.  Code Red, Nimda, Blaster ring a bell?  WinXP SP2 sealed up many of the server/service vulnerabilities, so the next attack point was the application.  SQL Injection, XSS.  In the last 2 years or so, the cycle moved to the client – document formats such as PDF and Flash.  Now that those have reached a degree of security maturity (relatively speaking), the current favorite attack is back to the human – the Nigerian scams, the “I was robbed, please send money” scams.

His point in all of this was, there is a predictable pattern in vulnerability distribution that overlays the adoption curve.  On the bleeding edge of a new technology or capability, there is extreme vulnerability, but no critical mass of users to catch the interest of attackers.  There is a “sweet spot” during the early majority stage though where the bugs have not yet been worked out, but there are enough users to form a valuable target for the attacker.  That window may last about 18 months before most of the vulnerabilities have been closed, and the cycle moves on.

Today, most attacks are again against the human, but we are entering the early majority stage for cloud computing and for ubiquitous connectedness in the form of smart phones and tablets, and IPv6 is just beginning to gain momentum – an entirely new generation of network technologies.  Where do you think the vulnerabilities over the next 18-24 months will predominantly lie?

His second point related to infosec awareness.  Most security awareness training today focuses on just that – awareness.  But simple awareness does not bring about behavioral changes.  In Mike’s view, there are three things that must all be present at the same time in order to change behavior: motivation (aware of a problem and that not taking action could hurt), ability (knowledge of how to take appropriate action, in a way that does not interfere with other priorities), and a trigger (a reminder to take action).  The examples he used were strong passwords (see the XKCD comic on the topic) and USB storage devices. 

On the latter, he had a former consulting client that had not been able to keep its employees from plugging usb devices into their PCs.  Awareness training had not helped – the employees knew of the risk, and had the ability to simply not plug in the device, but there was no trigger, nothing to remind them not to do so.  MAD Security put together a video just memorable enough (and politically incorrect enough) to create a reminder that stuck.

Most companies get each employee’s attention for about an hour a year during information security awareness training – why not use that hour to not only educate, but create memorable triggers for the behaviors we most want to encourage?