Friday, May 11, 2007

Vulnerability Anxiety

My mind is fried from my noisy but under-stimulated children and the plague of perpetual morning (and afternoon and night) sickness. And, no, not mine.

Or perhaps Gadi Evron's NANOG alert on Broadband Router vulnerabilities has pushed me over the edge, but I think Bejtlich might be on to something with his whole focus on the threat, impractical or not. Or perhaps it is just more intellectually honest that than folks in security [consulting|product] companies going on and on ad nauseum about end of the world vulnerabilities of the day/month/year so that the morons at e-week will reprint their "marketing" as news.

Sure, I did it too. It is fun. Pick the latest product, protocol, technology, and find holes in it. Easy. Make the world safer. Hell, save it while you are at it. I did inside Cisco with product teams. Find the bugs before the bad guys do. I tried to do it with the thick-headed SCADA community. Don't get me wrong (when I used to work to work for a vendor, and was still bitter about having wasted lots of time and energy on product security initiatives that went absolutely nowhere and being part of small, understaffed, non-revenue-generating group buried deep within the bowels of a security business unit) I used to be sympathetic to Alan Paller/Bruce Schneier-style vendor-bashing (meaning if only Microsoft, Cisco, Oracle, etc. would do x,y,z then we'd all be fine.) But not anymore. Now I find it tiresome, almost as tiresome as the new scary fuzzer of the week. And I am glad that I'm in a job were I don't do too much "awareness raising" of this sort (or writing fuzzers, for that matter.) Whistle blowing, bell ringing, inviting the wolf in the door, dressed as Grandma. Whatever you want to call it.

But it reminds me of one of the handful of occasions (most which were quite amusing and absurd in hindsight) where work I touched received at least a blink of attention at the senior executive level (meaning, to folks that reported directly to Chambers).

I was working on a high visibility prezo that was going to be given to some govt big shots. This is pre-DHS days, but it involved a former Clinton administration appointee that would go on to release a tell-all book critical of the Bush administration in the summer of 04. A year ago would actually stand behind him going through security at Reagan one morning, chuckling while TSA took extra long to go through his bags. (Another HINT: this guy talked about "Digital Pearl Harbors" a lot)

To get back to the point, the critique from the exec on my slides was short and sweet. I still have a printout:
[this] reads like a laundry list of anxieties regarding the future of networking and its vulnerabilities..
Of course I thought this was nonsense at the time. Like all the execs, he just didn't get it.

But what does this mean to me now? It means, sure, you can (and should!) do all that product/application security goodness. But every new technology (Web 2.0, Vista, VoIP, IPS, NAC whatever) is going to be broken as hell (or at least appear so, because all it takes is one hole, right?) when it first hits the streets.

Not only has the endless vulnerability drum-beat gotten old, I'm not sure of the point anymore. The terrain that must be defend is endless and particularly difficult for vendors (such as Cisco) that do much of their product development via acquisition. Although it is no cake walk for those that do everything in house. And just like the real wars, it is difficult to know the scorecard, since most of the time we only know about those that "get though" and there is only one interpretation of publicly available information: that we are losing.

No comments: