I was talking to a colleague the other day about the need to provide security to users as they surf the web … after all, Web sites have taken over as the major source* of attacks today. The discussion started with gateway security for Web surfing.

“Surely,” I argued, “The gateway is the first line of Web security defense. It’s the most economical, the most efficient, and the most effective.” While she didn’t disagree with that, she pointed out the fly in the ointment.

“What if I’m traveling or working from home or a hot spot and not connected to the VPN? I’m still using a corporate asset and it still needs to be protected with the same policies as when I’m in the office, doesn’t it? If the company just has gateway Web security, how can it protect me?”

She’s absolutely right. This reminded me of the defense in depth topic that I recently blogged on. As we mentioned before, traditional defense in depth wisdom states that it’s best to have different vendors at the gateway and on the desktop. But it would be so inefficient to have different vendors providing gateway Web security and local device Web security, wouldn’t it? You’d have to manage multiple vendors, learn multiple admin consoles, duplicate policy rules, and contact different support desks if you had a problem.

What makes more sense is to have different types of technologies used at the gateway and on the device that back each other up and ensure that the user and his/her device is protected from any and all threats whether they’re in the office, working on a VPN from home, or at their local coffee shop.

Those multiple technologies might include anti-virus, anti-spyware, anti-malware, reputation scores, Web site reputation analysis, Web page categorization and SSL scanning. Combining these technologies from one vendor allows for consolidated reporting and tracking, common policy enforcement and simplified administration. All of which leads to lower costs and better security. Isn’t that what defense in depth is supposed to do?
* According to McAfee Avert Labs, there’s over 400% growth in 2008 of SQL injection vulnerabilities that can lead to delivering a malicious payload and over 150% growth of cross-scripting vulnerabilities that can draw users to malicious websites.

We all seem to take for granted that changes happen very quickly in the online world, yet for some reason we haven’t updated our definition of “defense in depth” in over a decade.

Originally borrowed from military lingo, in information security defense in depth represents the use of multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors are usually deployed to defend different potential vectors within the network, helping prevent a shortfall in any one defense leading to a wider failure; also known as a “layered approach.”

I go out and talk to customers at various industry and guest speaking engagements, and I still hear people using this basic definition. They insist that they need multiple vendors at different points in the network. And, when “state of the art” was anti-virus (as in the Wikipedia example above), sure, that made sense. Signature .dat files came out at different times and some vendors were better with some types of malware than others. So having vendor “A” at the gateway, and vendor “B” on the desktop was the smart choice.

But now? Anti-virus is still a necessity but it is no longer the first or only line of defense. There are now multitudes of technologies that are specifically designed to protect every possible door and window into the enterprise. Some of these new technologies are deployed inside the enterprise and others are global services offered by vendors. And the attackers are smarter as well … mixing and matching attack vectors so that one type of technology is insufficient to stop a threat.

Today’s defense in depth needs to focus on deploying and managing disparate technologies that are capable of catching threats that use more than one attack vector.

In my next posting, I’ll talk more about these types of technologies and the issues involved in deploying and managing them from multiple vendors.

Last month the press was abuzz with the news that the US electric grid has been hacked by foreign operatives. To anyone who has studied security in the power industry, this isn’t much of a surprise.

Last fall (Aug/Sept 08), I conducted a survey of 200 critical infrastructure operators (the people who actually work in the industry and KNOW what’s what) on what they thought of the safety of our power grid. 60% of them told me that the energy sector was unprepared to stave off a major attack. They also felt that the power grid was the number one target ripe to be exploited (27%). 50% of them told me that our critical infrastructure had already been successfully attacked.

So, if the people in the know, knew, how come we’re still vulnerable? I asked them that question as well. The number one answer: cost. Number two: complacency. No real surprises there; those are the same answers that we used to get from IT departments 15 years ago on why they didn’t have defense in depth technologies set up to protect servers and databases.

The survey respondents also provided the following comments:

• “There hasn’t been a real incident so no one takes it seriously.”
• “Lack of knowledge and understanding.”
• “Inability of decision makers to commit to security upgrades.”
• “No one wants to pay for security.”
• “False sense of security.”
• “Security competes with other priorities for resources.”
• “We, as Americans, believe we are invulnerable to this kind of attack.”

So what do we do now? I know the legislators are lining up to introduce new rules and regulations as soon as possible. Similar to the $700 trillion authorized for the banks just a few months ago, any new legislation is going to be rushed, impulsive and probably ultimately worse than doing nothing at all.

Yes, we need to act. But, IMHO, we need to think first. There is a group of talented and knowledgeable security experts who have been studying this for many years (and almost none of them have been elected to public office). The answers are well known and doable. We just need the will, the political clout, and the expertise to do it properly.

If anyone would like a copy of the survey results, please feel free to email me at elan_winkler@mcafee.com.

Once again, technology is leading us down a garden path. Today’s new bright, shiny, object in the energy sector is called the smart grid. Smart Grid devices are small computers that are connected to the power grid, giving customers and power companies better control over the electricity they use. There are about 2 million of these devices currently deployed, with 17 million more planned in the next few years. As part of the recent stimulus package, the government is funding about $4.8 billion to spur this deployment.

But is it safe? Is it secure? What opportunities does the smart grid create for the hacking community? No one really knows, and that’s part of the problem. We’re so turned on by technology and the advantages that it creates for us, that we don’t want to think about the dark side. And, in this case, I mean “dark” side literally. A sophisticated hacker that could get control of these smart devices in our homes could literally black out entire sections of the country. Anyone remember 2003 when a downed tree put out the lights for 55 million customers? That would be child’s play compared to the potential risks from a smart grid hack that could originate from anywhere in the world.

So, let’s be smart, and safe. These devices should be thoroughly tested by security professionals to really understand and uncover the cyber risks. After all, I’m not laying awake at night dreaming of the day that the power in my house is “smart.” Are you?

Yet again, the Internet is proving to be a fertile ground for subversive hacking for the sake of political gain. We saw it in April 2008 when Radio Free Europe was shut down for 2 days by the Belarusian opposition groups on the anniversary of Chernobyl. We saw it in July 2008 during the Russia/Georgia conflict when multiple Georgian Web sets were hit with denial of service attacks.

Now it’s pro-Hamas supporters. Just last week they gained access to an Israeli Domain Registration Server and for several hours, Internet users attempting to visit the Ynet English and Bank Discount Web sites were instead directed to a server in Japan that was hosting a site filled with propaganda.

While I am a strong free speech supporter and believe that every side of a conflict has its own story to tell, let’s not confuse political agendas with cyber crime. Denial of service and Web site hacking attacks are crimes and violate the very intent and purpose of the Internet. If you want to engage in propaganda, do it on your own Web site!