Internet Security....the final word.....well maybe the second final.....ah, maybe one more after that.....

Drazen Drazic
Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

If we were to believe the marketing hype over the last 20 years, we should be in a position today, in 2011 where security is not the BIG problem that it is. Every “security” product has promised to take the pain away; make us secure, compliant (with every known standard), and to not only solve our problem today, but to future proof us also. Buy now and you need nothing else!!

In 2008, a large “security” company told me that if I bought their product, it would give me; “proactive protection against unknown and zero-day threats”. They seriously told me that! I didn’t buy the product. Did you? If you did and it worked, you’re probably not reading this website and instead are getting on with business without the need for a security team or any other security technology......

Let’s not pick on one company or another. We know they all do it and always have. But lets go back and ponder why we’re not secure today when marketing has been telling us for years, (well, since the 90's really) that their company has solved the problem for you..... (maybe someone just forgot to tell the hackers.....)

Packet filtering technology led the way to protect us on the Internet from bad things and then Firewalls became mainstream in the 90s to really ensure we kept the hackers out before IDS really raised the bar to protect us further, and then just to make sure, we moved to IPS technology. But to be even more sure, we were told we then needed WAFs to close the loop so to speak. Between the evolution of these technologies we’ve also had competing technology that was “promoted” to us on the basis that all of the above was no good and you needed “intelligent systems” that would understand what was good and bad traffic coming into your network. “Heuristic” network analysis! Wow!

Let me be a cynic for a moment. (Out of character for me).

It won’t be long before we have a Cloud Firewall (some are already promoting it), which I like to term a CFW. (I’d like CFW to be seen as the solution to APT). We’ll put the CFW in front of the WAF, which sits in front of the IPS, which sits in front of the IDS, which sits in front of the FW, which sits in front of the Router, which sits in front of the “intelligent” system sitting on your network finding the bad stuff that all the other missed. (Okay, before anyone gets too technical on me, I acknowledge you can mix this order of protection around to whatever floats your boat or is considered the “best practice” of the day.....”zone” it how you will.

Now I hate to be a party pooper just as the security product makers have now seemingly nailed the problem again, BUT, we have clients who don’t trust these security products without the products themselves first being security reviewed. That’s one of the things we do. And herein lies the problem.....many security products are insecure....inherently insecure.....as bad as bad standard TCP/IP protocols themselves.

So what’s the solution? Why break the evolution mould/pattern? Lets add more layers. Let’s start with the WAF, (because no one has invented the CFW as yet...or at least a real one). We need to put a WAFF (Web Application Firewall Firewall) in front of the WAF. It would be bad to have your WAF owned so you need to protect your WAF. No need to detail the rest as we move down the zones to protect the protection devices. LOL....you couldn’t make this stuff up.

BUT, we’ve always been told that defense in depth is key! So, somewhere in this quagmire of millions of dollars spent, we’re going to finally be secure.

Let me leave this at the moment with one last comment:

Defense in Depth can be destroyed by Complexity in Depth and always trumped by Stupidity in Depth. Are we too far gone to now go back to basics? There’s a story about an old woman who swallowed a fly.....

Comments (2)

buy real twitter followers

1

Write more, thats all I have to say. Literally, it seems as
though you relied on the video to make your point. You obviously know what youre talking about, why
waste your intelligence on just posting videos to your weblog
when you could be giving us something enlightening to read?

buy real twitter followers

2

Write more, thats all I have to say. Literally, it seems as though you relied on the video
to make your point. You obviously know what youre
talking about, why waste your intelligence on just posting videos to your weblog when you could be giving us something enlightening to read?

Post new comment

Users posting comments agree to the CSO comments policy.

Login or register to link comments to your user profile, or you may also post a comment without being logged in.

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Security and Data Protection

Protect your computers and data.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.