Special Ops Security || News

Birkholz interviewed by IT Business Edge

With Erik Pace Birkholz, president and founder of Special Ops Security Inc. Since 1995, he has performed hundreds of vulnerability assessments, penetration tests, host security reviews, Web application assessments and security infrastructure reviews for large corporations. He is the author of the best-selling SPECIAL OPS: Host and Network Security for Microsoft, UNIX and Oracle.

URL: http://www.itbusinessedge.com/content/3Q/3qpub4-20050413.aspx

Fortifying Network Security, April 13, 2005

What's wrong with today's typical approaches to network security?
Birkholz: Too many people think technology will solve network security problems. Unfortunately, that's not true. Technology won't do the trick because you need to address underlying systemic problems. In the six years I did penetrating testing and security assessments, I found that even the biggest companies in the U.S. have security problems and that they all boil down to a few common issues. Until they are fixed, technology is not going to solve the problem. There's no security magic pill. Security is a blend of people, processes and technology. You need to educate people and follow sound and auditable processes before you apply the technology.

Also, too many have focused on perimeter defenses. But much of the nastiness is on the inside with worms and employee theft attacking internally. A perimeter defense creates a hard outer shell, but the interior is still soft. You need to move away from a perimeter defense model to an asset-centric security model.

What do you mean by an asset-centric security model?
Birkholz: An asset-centric model protects the right assets, from the right threats, with the right measures. Assets of greater criticality and value to an organization are held to higher security standards and protected by additional layers of defense. If possible, they should be compartmentalized into their own networks and segments. The analogy I use is how airport security has been strengthened since 9/11. Before 9/11, there were few security layers. You went through a metal detector and then you could walk around the airport and get on the wrong plane if no one was paying attention.

Now, if you look at all the extra layers of security, the check-in and ticketing areas are like screening routers; security screening is analogous to firewalls and logging on a network; the airport concourse is like the DMZ; the airport gates represent LANs, extranets, VPNs, wireless and modems; X-rays, dogs and search are equivalent to IDS and IPS; gate agents are the personal firewalls and HIPS; reinforced cockpit doors are the AV and chroot jail, while the airplanes and passengers are the assets to be protected.

How do you put an asset-centric model in place?
Birkholz: There are several steps. First you compartmentalize assets into security zones based on their criticality. Then you assess exposures and vulnerabilities in each zone. You plan and execute remediation and implement appropriate mitigating controls. Then you audit the effectiveness of those controls. You monitor all points of ingress and egress for critical security zones and monitor all operating system and application logs of assets in critical security zones.

The analogy I use here is that of a retail display. Rolex watches might be kept locked in the back of the store. Less expensive watches might be kept in a locked display case, while the cheapest ones might be left on the counter where customers can actually touch them. Each of these measures, like network security measures, gives you additional time to respond, based on the criticality of the assets. It's not a question of saying that nothing is going to happen. The question is, when something does happen, how much of a chance will you have to respond?