Security as an advantage

This week has seen a lot of activity in the security world about one of the largest companies in Britain – Tesco. What’s unusual about this, certainly compared to most “security” news is that there’s been no notified data breach. Efforts conducted by Troy Hunt, in particular (and well documented at his web site – Lessons in website security anti-patterns by Tesco) have identified a number of potential security issues with Tesco’s online presence.

Tesco have made some responses (additional coverage at SC Magazine) and I’m sure we’ll see additional news on this.

Tesco aside, what this highlights is that most people aren’t aware of what security is in place, or should be in place for their online transactions. Not everyone has the time, ability or stubbornness of people like Troy to investigate and follow through with enough knowledge to get through the anodyne responses. This is an example of why having a knowledgeable and semi-independent security assessment is something that any organisation should do. That’s not to denigrate some of the fine people who work at Tesco – all of us sometimes need an extra set of eyes and ears, sometimes just to challenge assumptions. Luckily, here, the problems have been identified before there’s a serious issue.

One of the basic issues here is that security is hard – knowing that even if everything has been done “right” that it still may lead to a problem. This is one of the reasons that it’s good advice for users to use different passwords – even if you trust the people you give a password to, you can never be sure that it won’t get leaked. If you use the same username and password combo on multiple sites (or worse, for your e-mail access itself) then any password leak on those compromises a large amount of your online presence. Even a low value breach (a blog, for instance) escalates if those same credentials are used at a shopping site that has your credit card number stored and allows quick purchasing.

Security is about layers of defence – not assuming that each layer will hold, but mitigating and minimising the risk if it doesn’t. This incidentally is one of the issues with the “padlock” icon in browsers – it gives a false sense of security. Users are one of those layers and should assume that whatever is in place by the provider may not be enough…

One of the difficulties with any form of security is when it meets head-on issues such as finance, usability, compliance or legislation. The latter two in particular are insidious, often being used as a replacement for security (we’ve complied with XYZ policy) or even being antipathic to security. Especially in large organisations the challenges in putting forward a culture of good practice against those are immense. There may even be good and acceptable reasons for, what at first appears to be, bad practice.

That said, I’m wondering if these types of events may be the trigger for security as a competitive advantage. Would a (non-security) person actually choose to shop online at one store over another due to security deficiencies? If not, at what point would that happen?

Needles and the weakest link

My Haystack: Is finding that one needle really all that important? (Hint: Yes it is.)

Ed Adams raises some good points in his article, specifically around the increase in coverage of breaches (I’m still not 100% sure there is a true increase, or just more reporting) and the passive, reactionary response of “spend more on ‘x’ technology”. The reality, as pointed out is that there’s no way to guarantee the security of any system and the analogy of a “needle in a haystack” is quite an interesting one. Although the focus is on application security, the principles are useful to us all.

Extending that somewhat, we look at security as being a race – the attacker is looking for the needles, you’re trying to find them and remove them before he can get them. Getting rid of the obvious needles is our first task, but no matter what we do we can never be truly certain that there are none left. All we can do is reduce the probability of someone else finding one to such a degree that they give up. This is a reason why regular testing is so important – how else does one get to the needles first?

Unfortunately, attackers tend to come in one of two types. Some are opportunistic and will move on (compare someone checking out cars for visible money or valuables) to easier targets, others are focused on a certain goal. Depending on what type of attacker we face our level of “good enough” may change. Remember, you don’t need to outrun the lion, only the slowest of your friends…

Determined attackers also give another challenge. We often talk about weak links (another analogy) in a security process. What’s missed here is that there is always a weakest link – the television programme of the same name teaches us that even if everyone appears to be perfect, then someone must go. After removing (or resolving) that link, another becomes the weakest link and so on. The lesson is that we can never stop improving things – as Ed wisely says, new attack surfaces will arise, situations will change and our focus will have to adapt.

If we always see security as cost of doing business we can let it get out of control; building it into processes, training, applications and infrastructure will dramatically reduce that, but ultimately there’s a limit – it’s irrational to spend more on securing something than its value (whether that be in infrastructure, training or testing). This is why compliance and regulatory control has been such a boon for the security industry – it’s not perfect (by any means) but it focuses minds by putting a monetary value (in fines or reputation) to otherwise intangible assets.

Of course, the attacker has a similar constraint – there’s no point in spending more to acquire data than its value, but this is more difficult to quantify and shouldn’t be relied on from a defensive point of view; motives can be murky, especially if they’re in it for the lulz.