[ISN] Limiting your security to a firewall could be akin to opening Pandora's box

From: InfoSec News (isnat_private)
Date: Sat Apr 14 2001 - 17:13:37 PDT

  • Next message: InfoSec News: "[ISN] Spy laptop safety no longer mission impossible"

    http://www.infoworld.com/articles/op/xml/01/04/09/010409opvizard.xml
    
    From the Editor in Chief
    Michael Vizard
    Friday, Apr. 6, 2001
    
    The fundamental problem with security is that it's everyone's problem,
    which means that no one is actually responsible. When people talk
    about security today, they tend to focus on the edge of the network,
    where they deploy firewalls and VPN software to secure access to the
    network.
    
    The trouble is, this gives IT people the illusion that the entire
    enterprise is secure when they have really just set up a first line of
    defense. Once you secure the network, the second line of defense is
    the applications themselves.
    
    Much greater attention should be paid to making the applications
    secure from intruders. Failing that, a third tier of defense should be
    set up around the data in the applications. After all, when you visit
    a bank they don't have locks on just the front door. The vault itself
    has its own lock and inside it are safety deposit boxes with their own
    locks.
    
    The same kind of thinking should be applied to IT. It is difficult to
    achieve this level of security because developers are always under the
    gun to deliver on time. To meet what are often unrealistic deadlines,
    they typically cut short two processes. The first, as every end-user
    who has ever read a manual knows, is documentation. The second is
    quality control, where developers typically start to think about any
    security issues associated with their application. But this is putting
    the cart before the horse, because the time to consider security
    issues is when you are building the application, not after it's built.
    
    It's only a matter of time and a few costly lawsuits before a
    multitier approach to security becomes standard operating procedure.
    
    Let's take a hypothetical case in which an automaker consistently
    delivers a car with doors that don't lock and an ignition that can be
    started without a key. If that automaker recklessly ignored reports
    from customers about these flaws, and someone used one of the cars to
    inflict damage or even kill another person, the automaker could be
    held liable depending on how you interpret product liability laws.
    
    Similarly, it's only a matter of time before someone decides to sue a
    company such as Microsoft over the lack of security inherent in most
    of the applications that people buy today. If a hacker commandeers a
    system using known security flaws in the application to inflict damage
    on others, the company that built the application and the company that
    bought the application should probably carry some of the liability
    associated with the damage caused by the hacker.
    
    Hopefully we won't see a raft of legal cases emanating over security,
    but the reality is that unless companies are seen to be taking
    measures to secure their applications, they should be held
    accountable. And for many of them, that means either slowing down the
    application development process or completely rethinking how they
    approach security issues as they relate to applications.
    
    This won't be popular with software companies already hard-pressed to
    keep up with their production schedules. But one could argue that the
    current pace of development is pushing software vendors to adopt
    behavior they know is reckless. As companies that make cigarettes and
    firearms learned, you can be held accountable for how people use your
    product.
    
    In the meantime, IT organizations must be less complacent about
    security. Just because you locked the main access point to your
    network with a firewall, it does not mean you are secure -- not when a
    hundred backdoors are open at the application level.
    
    What's really required is a full audit of your entire security
    apparatus, from which you can then build a blueprint for securing all
    aspects of your site. After all, if someone penetrates your network,
    it's not a given that they should be able to access your applications.
    And if they do gain access to your applications, it's not a given that
    they should be able to use data outside that specific application.
    
    For most of us, increased security goes against the grain because it
    means work and inconvenience. But the reality is that locks and access
    levels are the hallmarks of any civilization, and that is the key
    element of our collective social contract.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 00:49:09 PDT