Tuesday, April 12, 2011

How hard is security?

It's so hard that security companies get hacked:
The website of web application security provider Barracuda Networks has sustained an attack that appears to have exposed sensitive data concerning the company's partners and employee login credentials, according to an anonymous post.
It looks like a SQL Injection attack, which works like this:


The press has the expected sort of gloating.  I'm much more sympathetic.  Barracuda had the motivation to try to keep this from happening.  They had the technical expertise to try to keep this from happening.  They had the technology to try to keep this from happening.

You could say the same about RSA, which has some of the best security technology around.  They got hacked, too.

This is hard.  What makes it really hard is that there's big money in Black Hat hacking, so big that the Bad Guys are almost certainly better funded than the Good Guys.

Interesting times.

3 comments:

  1. I always told my clients

    "I don't care who you are, how good you are, there's one, or ten, or at most a couple hundred of you; there's a couple hundred thousand of them.

    You have to pay folks, a maximum of 60 hours a week, and they have unlimited time. Your people have hobbies and lives outside of work; for them, this IS their entire life. It's all they do. They have unlimited motivation.

    You can't stop a hundred thousand people with unlimited time and motivation. IT CAN"T BE DONE.

    They WILL get in. That's not even a question. The question is, how well can you handle it when they do. What will they get. How will you recover. Because everyone gets cracked eventually".

    A few of them even believed me and listened.

    ReplyDelete
  2. My focus is in system hardening. My biggest hurdle is convincing people that the firewall doesn't provide much security at all. Luckily, I've been able to make a little headway in at least my local organization. The rest of the industry is aware of the problem, but good coding and security always seem to lose in the cost/benefit analysis.

    ReplyDelete
  3. In my experience, which is physical security, most companies try to pay out as little as possible for their security and end up losing more money than if they would double or triple there security budget.

    Sounds like the same thing happens with the inter-webs security companies.

    Josh

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.