Monday, March 09, 2009

The Security World Is Not Just a Webbed, Virtual, Fluffy Cloud

If you've been watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security scene for a while, you'll notice trends. Certain classes of attack rise and fall. Perceptions of risks from insiders vs outsiders change. I think it is important to realize, however, that globally, security vulnerabilities and exposures are persistent. By that I mean that if we forget or neglect problems from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past (or even present) and focus only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, we will lost.

For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three big cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes you'll see in many IT and security discussions are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

  1. Web apps

  2. Virtualization

  3. Cloud


If you're not dealing with those three areas, you're a dinosaur, man! Forget all that ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r stuff you've learned!

The problem with that attitude is that it sees cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world through a tunnel of shiny newness.

Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following list of recent security issues and see how many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m deal with those three hot topics.

I could continue. The point is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a lot more to our security problems than Web, VM, and Cloud. It might be simpler to think of only those three problems, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are at least a dozen more that require attention. This problem makes our security lives more difficult, but also more interesting.


Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.

5 comments:

dre said...

Actually, our industry has too much focus/emphasis on Windows buffer overflows; not webapp/cloud/virt.

While I agree that all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that you have mentioned are important, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y probably don't require a dedicated person at each company. Unless your organization specializes in DNS service offerings (e.g. OpenDNS), BGP offerings (e.g. Renesys), MPLS services (e.g. AT&T), or non-traditional rootkits (e.g. Veracode).

Web applications affect um... everyone. Every organization that I know about, and one-hundred percent of users.

Some quotes for you before we leave:
The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical s
ervers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared to just 4.5% in 2005.
- IDC
60% of production virtual machines will be less secure than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir physical counterparts through to 2009. - Gartner
On average over 70% of IT security budgets is spent on infrastructure, yet over 75% of attacks happen at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application layer - Gartner
63% of developers are not confident that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y write secure code - Microsoft Research

Anonymous said...

@ Richard:

Right on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spot. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security buzzword phenomenon moving to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical areas of security. I don't know why but I have reasons to expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worse in terms of security.

You know, mainframes suffered with security issues from day 0, so people tried to define models that went into place and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y finally "became secure"... so, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 80s, hacking exploded and more than a half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security paradigms went to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 space.

I think we are getting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of that wave, and people are starting to assume that this security stuff isn't that chaotic anymore, after-all we all learned that firewalls cannot protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upper layers, that applications must be secure by design.

What f*cks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole thing is that security is not a science is an art and creativity still one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main tools of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacking agent. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advantage of being creative and attacking where we don't expect, we are stuck in buzzwords and dogmas...


@Andre Gironda:

WHAT?!?!?! "Unless your company specialises in DNS service offerings?!!?!?" Please, somebody stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world 'coz I wanna to get out...

Anonymous said...

Richard,
web app and virtualization are stringent real problems that directly affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business to a high degree and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y warrant answers. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are real, are here, being used on larger scale day by day, and we have to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m sooner than later.
indeed, salespeople abuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m way too much.

John Ward said...

Rich,

Your losing touch. Attach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phrase "its cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new hotness" when describing one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "outdated" areas, and suddenly everyone will focus on it again. :)

Anonymous said...

Just finished reading "The Security World Is Not Just a Webbed, Virtual, Fluffy Cloud." Quite enjoyable.

Question, will you be writing more on Network Security or Virtualization? If so, would you be interested in having it showcased in our monthly newsletter? This would be free exposure for you.

Let me know if you are interested and we can talk more about it:

janderson@imninc.com.
http://blogsunlocked.wordpress.com/