x

Where does the future of security go after Stuxnet

Since it seems that attacks are getting more sophisticated. Do we or should we plan for this in our Security Policies? Article

more ▼

asked Jul 15, 2011 at 11:03 AM in Default

avatar image

bopeavy
157 2 3 5

(comments are locked)
10|1200 characters needed characters left

3 answers: sort voted first

A bit off-topic, but I'll nibble...

The broad consensus is that Stuxnet was specifically targeted at this enrichment facility by a national intelligence organization. If a private company were the target, they'd just confiscate or destroy the computers... no worries about retaliation or violating said company's national sovereignty.

In my view, it would be an incredible waste of resources for a run-of-the-mill IT shop (or even a high-end sophisticated one) to plan for the prevention of this type of event in their security policies.

more ▼

answered Jul 15, 2011 at 11:23 AM

avatar image

KenJ
25k 3 10 20

So true but i think that it leads the way for hackers to come up with more sophisticated attacks that may become undetectable by normal antivirus or malware software out there.

Jul 15, 2011 at 11:27 AM bopeavy

And the natural evolution of a vigilantly updated security policy will take these newer threats into consideration as they develop.

We can't write a security policy that is flexible and comprehensive enough to handle future threats without needing updates.

Every new type of computer threat is essentially undetectable until it's been observed in the wild and virus definitions can be updated.

It's the IT version of the Red Queen's Hypothesis - http://en.wikipedia.org/wiki/Red_Queen%27s_Hypothesis

Jul 15, 2011 at 11:38 AM KenJ

Remember, policies are your governing rules. "I should audit for password changes." Notice it doesn't say how you do the audit. That comes in the procedures, which are smaller, technical, and expected to be modified relatively frequently. Policies = what you do. Procedures = how you do it.

Jul 15, 2011 at 11:58 AM K. Brian Kelley

Don't you think we should go a bit futher @K. Brian Kelly "Policies = what you do. Procedures = how you do it." Future = How do we change it/or make it better

Jul 15, 2011 at 12:14 PM bopeavy

Not the policies and procedures themselves, the shared definition for the word "policy" and the shared definition for the word "procedure"

If we don't have a shared security vocabulary, we can't have a meaningful security discussion.

If you want to change the definitions of the shared terms, or introduce your own terms, you must have group buy-in. Otherwise, you're speaking quechua while everybody else is speaking farsi.

Jul 18, 2011 at 02:13 PM KenJ
(comments are locked)
10|1200 characters needed characters left

Yes. Of course you do. The catch is that's why you build your policies to be more high level and your procedures to be more technical and specific. You realize that your procedures will change as attacks evolve. Yes, it means the good guys are always playing catch-up. That's why we don't sleep.

more ▼

answered Jul 15, 2011 at 11:37 AM

avatar image

K. Brian Kelley
1k 1 4 4

That leads to the question of who are the good guys? To must that seems to be a matter of perception. Take our history against england we where terrorist, but to us we where freedom fighters.

Jul 15, 2011 at 11:49 AM bopeavy

Dang! I came out on the wrong side of @K. Brian Kelley :)

Jul 15, 2011 at 11:51 AM KenJ

It could very well happen...LOL!

Jul 15, 2011 at 11:54 AM bopeavy

The good guys are the ones protecting the organizations.

Jul 15, 2011 at 11:56 AM K. Brian Kelley

If you want to avoid all moral judgment we could change the words "good guys" to something like the "defenders of a network." The question here is not so much about good v bad or black hat v white hat but rather about those trying to penetrate or otherwise compromise a network and those trying to protect its integrity and the technical tools available to each.

Jul 18, 2011 at 10:26 AM TimothyAWiseman
(comments are locked)
10|1200 characters needed characters left

I think with so many other things the answer is: it depends.

I think every institution should take basic security practices into consideration. I have particularly written about basic steps to make a SQL Injection attack more difficult at http://www.simple-talk.com/sql/learn-sql-server/sql-injection-defense-in-depth/

Now, whether or not you need to go beyond the basics (and preparing for a highly targetted attack from a highly sophisticated attacker in any meaningful way certainly goes far beyond the basics) is a cost-benefit-analysis. While you certainly should avoid obvious security errors (storing passwords in plaintext, reusing passwords, etc) once you get past that point increasing security often comes with multiple costs, and some of these costs can be very high.

For instance, one common way to improve authentication is to issue some form of authentication token along with a password. This token may come in the form of a smart card or a device that creates single use identifiers, etc to go along with your main password (this would be Two Factor Authentication). This goes a very long way to improving authentication and strengthens security a great deal. But now you have to pay (or make your users pay) to have those tokens physically created. The user then has to actually keep track of this token and go through extra steps to use it, all of which involves costs.

Encryption, used properly, can be an enormous boon for security. It can vastly reduce the damage that is actually done by other security breaches. But it comes with multiple costs. Even if you use free software (I am a fan of TrueCrypt personally), it comes at a price in both performance and inconvenience, not to mention the risk that the decryption key will be lost which risks lost data.

And those are both still fairly straightforward, simple examples of ways to increase security. To protect against a determined, sophisticated attacker that is targeting you specifically, you need to go much further.

So, then it becomes a cost-benefit analysis. What is the likely damage of a breach? How likely are you to be targetted? How expensive are the planned security measures (and remember to include all costs in that, including inconvenience to the user)?

If you are talking about a bank or an institution that deals with highly confidential information (such as, say, medical records), then it probably makes sense to have a fairly high level of security and to be willing to pay for it. If you are dealing with less sensitive information then it is probably a bad trade off.

For isntance I would be quite willing to take the inconvenience of two factor authentication with my bank and would be willing to pay for the token myself if they made that an option. On the other hand, I am not overly worried about someone hacking my account on the servers where I play Go, and might easily look for another server if they made the sign on process even slightly annoying. I have a TrueCrypt file where I store my tax records and other records that might have my SSN or a credit card number. I do not however encrypt the notes I take in class. It all comes down to how much the security is worth versus how much it will cost.

more ▼

answered Jul 15, 2011 at 12:30 PM

avatar image

TimothyAWiseman
15.6k 22 51 38

(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.

Topics:

x215
x1

asked: Jul 15, 2011 at 11:03 AM

Seen: 1052 times

Last Updated: Jul 15, 2011 at 11:03 AM

Copyright 2017 Redgate Software. Privacy Policy