Patching the price of security

There's a chasm in the information security landscape. On one side, security vendors try to sell us ever-more-complex products to deal with ever-more-complex threats. On the other, the experts tell us we should be concentrating on the basics.

A recent example of the complexity is DeepSAFE, technology developed by McAfee and its owner Intel.

DeepSAFE sits between the physical hardware of the processor chip and the operating system. Somehow. McAfee describes it as a new vantage point, from where otherwise stealthy malware can be detected. McAfee co-president Todd Gebhart even claims it would have defeated Stuxnet, the worm that targeted Iran's nuclear program.

DeepSAFE is capable technology, but for how long? It was two and a half years in the making -- expensive! -- and presumably only gives McAfee an advantage until the competitors develop their equivalents and the bad guys figure out how to subvert it.

Besides, there's a bunch of science ranging from Kurt Gödel's incompleteness theorems to all that stuff about unsolveable computations that leads me to think we'll eventually be hearing about a new technology layer beyond DeepSAFE. And then another beyond that.

Need more examples? Look at the configuration screens for any major vendor's latest endpoint security suites.

Contrast all that with this magnificent example of getting back to basics from Australia's Defence Signals Directorate (DSD), the organisation responsible for protecting our government networks, both civilian and military.

Earlier this year a team led by Steve McLeod and Chris Brookes looked at all of the security incidents and vulnerabilities reported in 2010 to see how they might have been prevented. They identified the Top 35 Mitigation Strategies and provided technical information on how agencies could implement them. Useful stuff.

But DSD's money-shot message was that by following just the first four strategies, at least 85 per cent of the targeted cyber intrusions would have been prevented.

These four strategies aren't exactly rocket science.

* Patch -- that is, apply the security updates -- for applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.

* Patch operating system vulnerabilities.

* Minimise the number of users with administrative privileges.

* Use application whitelisting to help prevent malicious software and other unapproved programs from running.

"Implementing the top four strategies can be achieved gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users," DSD wrote.

"Once this is achieved, organisations can selectively implement additional mitigation strategies based on the risk to their information."

Dr Ian Watt, then secretary of the Department of Defence, advocated that all cabinet agencies implement these four controls and make sure they were actually doing it.

Re-stating these basics might seem a simple thing, but it won DSD the 2011 US National Cybersecurity Innovation Award, announced Monday by the SANS Institute.

"The cost of implementing these four controls is a tiny fraction of the cost of implementing the average US federal government agency cybersecurity program," SANS wrote, along with words like "ground-breaking", "game-changing" and, of Dr Watt, "extraordinary leadership".

These controls won't stop highly-sophisticated attacks. But they do stop the middle- and low-end attacks, and that's how most information is lost. For the agencies that have adopted them, the spread of targeted attacks is no longer a significant problem.

"Auditors who are not checking for these four being fully implemented should refund their salaries because they are looking at the wrong things," said Alan Paller, the SANS Institute's director of research.

The DSD research is a long way from the likes of DeepSAFE. But security vendors must constantly introduce new technologies to differentiate themselves from their competitors. The corporate world seems to prefer creating new technologies over repurposing existing ones. It's a branding thing.

And it's inevitable that these technologies are increasingly expensive and decreasingly effective.

"In nearly every technological concern, if you want to get one more decimal place of reliability, you end up spending ten times as much," security expert Jon Callas, who is chief technology officer of Entrust, told Technology Spectator.

"DSD did everybody a huge favour by essentially saying, 'Here's where you get to approximately two nines of reliability," he said. "And they're simple things, which tells you how much we all suck."

But of course you don't get to be a billion-dollar vendor by repeating basic messages.

Disclosure: Stilgherrian attended McAfee's Focus 11 security conference in Las Vegas as their guest.