As I’m writing this late May 2013, arguably one of the coldest and gloomiest months we had in decades here in Zurich, it’s tough not to get in a bit of a ranty mood. So I apologize in advance if this article seems to be written by a grumpy old man.

Recently, I visited a number of events targeted at CISO and similar roles here in Switzerland. All of those events were excellently organized, provided great food and drink as well as plenty of opportunities for discussions and the occasional vendor pitch. Whenever I have the time for it, I enjoy going to these events. Not because of the food – well, not only because of the food – but because I think it is important to discuss current problems with a significant number of people from different industries and backgrounds in order to come up with good ways to tackle them. At scip, we work for a very wide variety of customers, so understanding different needs and views is making our life a lot easier.

But I digress. When I was at one of said events lately, I had a prolonged discussion with the CISO of a large Swiss industrial corporation which will remain unnamed for privacy reasons. While we never worked together before, he was familar with my work and wanted to ask me some questions. Aren’t attacks from within more critical than those from the Internet? What products can I use to protect from external attacks? What about sophisticated attacks? And so on.

If you work in security for a while, you will probably have heard all of those questions before. I for sure have. That does not mean that they are bad or silly questions, it’s actually quite the opposite. If those questions get asked so frequently, their answers must be rather important. But for some reason, the answers are way less persistent than the question itself. There seems to be no FAQ for general security questions like those and I think this is a problem we, as an industry, need to solve.

For example: The problem of internal attacks remains, at its core, unchanged for decades. Yes, technology has changed a lot lately. We are dealing with new problems, that make it easier for internal threats to cause damage and we counter those new problems with new solutions.

The problem is: We still spend so much effort, time and money on discussing the same things over and over again adding new buzzwords created by security vendors to sell new solutions for old problems. The industry is, in my personal opinion, highly reluctant to move out of its comfort zone, to identify and tackle new problems with new approaches. So instead, it’s keeping itself busy with the same couple of things that worked in the past. It’s a steam engine that keeps dozens of security vendors alive without actually making our evolving digital world significantly more secure.

We need to create some sort of persistence in our information security programs. As most of you who read our scip labs regularly know, I’ve spent a good amount of time researching the Apple iOS platform. Among other interesting things, I analyzed a good number of applications, some of them very deeply.

The most unsettling thing about security problems in iOS applications is, that a lot of these problems are ancient. We are talking about authentication in cleartext, password storage in cleartext. I even saw a glorious recreation of the old Javascript Authentication with the actual password in the HTML sourcecode issue, when an application performed local authentication against a password it just received over an unencrypted GET request.

A whole generation of application developers that started to program web applications in the late 90’s have learned the hard way that these things are not good ideas. And, happily, they have stopped doing them, mostly. We frown upon websites that do not allow authentication via HTTPS, but at the same time, iOS apps haven’t gotten the memo yet.

I remember having discussions with Marc in 2007 about a project called Tractatus he did back then. His goal was to define simple and clear facts about computer security much alike Ludwig Wittgenstein did so for general philosophy. And now, with the complexity of information security growing faster and faster, I feel like this approach is something worth re-visiting.

We should not discuss the same questions over and over again. We should discuss the iteration of the question, we should add detail where useful and new solutions where necessary. But approaching information security problems should be structured, based on a legacy of previous decisions, experience and knowledge. Not a vendor pitch. We simply cannot afford to start at square one every time a new technology, type of device or business model comes along.

Attackers evolve quickly, because they need to in order to succeed and make money. The security industry does not need to keep up to make money. Even old problems generate money, as firewall sales show impressively. But we need to keep up to do our job, and that’s to defend and stay safe.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://www.nzz.ch/aktuell/panorama/wetter-so-grau-war-es-in-der-deutschschweiz-seit-30-jahren-nicht-mehr-1.18085919
• https://www.computec.ch/projekte/tractatus/