A foundation of much of our security strategy today is to deploy security solutions to protect us. As an industry we have put policy and process in the back seat to technology. But is our blind trust on security technology justified? I have seen some evidence lately that says no. In fact I am not sure that all of these appliances and software that we use work at all.
What makes me say this? Let me give you some evidence:
1. Kelly Jackson-Higgins has a good post up on Dark Reading about the research done by Larry Suto on web application scanners. According to the report which you can download the pdf of free at Dark Reading, most of the scanners missed almost 50% (one half) of all web app vulnerabilities! Think about it, scanning your web apps, you might be missing one out of every two vulnerabilities!
I was shown this report a few days ago by my friend Matt Cohen of NTOSpider. To give Matt and his team credit, they did lead the pack with 94% accuracy. But overall the numbers were pretty bad.
Qualys in particular was pretty low with only about 28% accuracy. It should be noted that they only have a “point ‘n click” test though. But still you have to ask yourself, if 2/3rds of the vulnerabilities are getting by, why bother?
Is it any wonder that being PCI compliant is meaningless from a security point of view? You can use a web app scan, check the box on your PCI audit and still have a security posture that is like swiss cheese on your web app!
2. The NSS tests. I have written before about the great work Rick Moy and the folks over at NSS have done. But go read this article in GCN by William Jackson interviewing Rick.
It is downright scary that after 5 years in the prime time, IPS still does not catch such a large percentage of attacks. We all knew that signature based detection alone was not going to see all attacks. But we have deluded ourselves about anomaly and behavior based detection, somehow making our signature based technology actually work.
Yes, IPS may catch rudimentary types of attacks, but how can we sleep at night with some of these well known IPS devices on the job?
3. Anti-virus – another false sense of security! For all of the millions of dollars spent by the AV vendors (a small fraction of the billions they rake in) on better detection what have we got. A day late and dollar short technology I am afraid. Our AV is great against last years attacks, but is pretty weak on this years threats.
That is of course assuming that your AV is actually up to date. In most organizations what percentage of mundane AV updates are failing? From my NAC experience I was surprised that even on some of the most sensitive networks in the world, the number of AV update failures across the network is pretty high. It only takes one bad apple.
4. Patching is a lot like AV. How many failed patches are not pushed out to every machine that needs it? Too many is the answer.
We could go on and on. Don’t even get me started on NAC and DLP. In general our reliance on technology that does not work as well as we hope, think and pray it does is more dangerous than if we had nothing at all. At least then we would be serious about the policies and process that we need to put in place.
In the meantime we need to rethink if we are as protected as we think we are. If not, we need to take measures in response.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=98680819-25fc-4668-847e-5bc2f4b2d9d5)
