SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, October 10, 2009

"Protect the Data" Idiot!

Posted on 4:56 PM by Unknown
The 28 September 2009 issue of InformationWeek cited a comment posted to one of their forums. I'd like to cite an excerpt from that comment.

[W]e tend to forget the data is the most critical asset. yet we spend inordinate time and resources trying to protect the infrastructure, the perimeter... the servers etc. I believe and [sic] information-centric security approach of protecting the data itself is the only logical approach to keep it secure at rest, in motion and in use. (emphasis added)

I hear this "protect the data" argument all the time. I think it is one of the most misinformed comments that one can make. I think of Chris Farley smacking his head saying "IDIOT!" when I hear "protect the data."

"Oh right, that's what we should have been doing for the last 10, 20, 30 years -- protect the data! I feel so stupid to have not done that! IDIOT!"

"Protect the data" represents a nearly fatal understanding of information security. I'm tired of hearing it, so I'm going to dismantle the idea in this post.

Now that I've surely offended someone, here are my thoughts.

Someone show me "data." What is "data" anyway? Let's assume it takes electronic form, which is the focus of digital security measures. This is the first critical point:

Digital data does not exist independently of a container.

Think of the many containers which hold data. Imagine looking at a simple text file retrieved from a network share via NFS and viewed with a text editor.

  1. Data exists as an image rendered on a screen attached to the NFS client.

  2. Data exists as a temporary file on the hard drive of the NFS client, and as a file on the hard drive of the NFS server.

  3. Data exists in memory on the NFS client, and in memory on the NFS server.

  4. The NFS client and server are computers sitting in facilities.

  5. Network infrastructure carries data between the NFS client and server.

  6. Data exists as network traffic exchanged between the NFS client and server.

  7. If the user prints the file, it is now contained on paper (in addition to involving a printer with its own memory, hard drive, etc.)

  8. The electromagnetic spectrum is a container for data as it is transmitted by the screen, carried by network cables and/or wireless media, and so on.


That's eight unique categories of data containers. Some smart blog reader can probably contribute two others to round out the list at ten!

So where exactly do we "protect the data"? "In motion/transit, and at rest" are the popular answers. Good luck with that. Seriously. This leads to my second critical point:

If an authorized user can access data, so can an unauthorized user.

Think about it. Any possible countermeasure you can imagine can be defeated by a sufficiently motivated and resourced adversary. One example: "Solution:" Encrypt everything! Attack: Great, wait until an authorized user views a sensitive document, and then screen-scrape every page using the malware installed last week.

If you doubt me, consider the "final solution" that defeats any security mechanism:

Become an authorized user, e.g., plant a mole/spy/agent. If you think you can limit what he or she can remove from a "secure" site, plant an agent with a photographic memory. This is an extreme example but the point is that there is no "IDIOT" solution out there.

I can make rational arguments for a variety of security approaches, from defending the network, to defending the platform, to defending the operating system, to defending the application, and so on. At the end of the day, don't think that wrapping a document in some kind of rights management system or crypto is where "security" should be heading. I don't disagree that adding another level of protection can be helpful, but it's not like intruders are going to react by saying "Shucks, we're beat! Time to find another job."

Intruders who encounter so-called "protect the data" approaches are going to break them like every other countermeasure deployed so far. It's just a question of how expensive it is for the intruder to do so. Attackers balance effort against "return" like any other rational actor, and they will likely find cheap ways to evade "protect the data" approaches.

Only when relying on human agents is the cheapest way to steal data, or when it's cheaper to research develop one's own data, will digital security be able to declare "victory." I don't see that happening soon; no one in history has ever found a way to defeat crime, espionage, or any of the true names for the so-called "information security" challenges we face.
Email ThisBlogThis!Share to XShare to Facebook
Posted in nsm | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ►  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ▼  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ▼  October (21)
      • Bejtlich and Bradley on SANS Webcast Monday 2 Nov
      • Partnerships and Procurement Are Not the Answer
      • Initial Thoughts on Cloud A6
      • Wednesday is Last Day for Discounted SANS Registra...
      • Review of Hacking Exposed: Web 2.0 Posted
      • Review of Web Security Testing Cookbook Posted
      • Review of SQL Injection Attacks and Defense Posted
      • Review of The Web Application Hacker's Handbook Po...
      • "Protect the Data" from the Evil Maid
      • Report on Chinese Government Sponsored Cyber Activ...
      • DojoCon to Stream Talks Live
      • Bejtlich Teaching at Black Hat DC 2010
      • "Protect the Data" -- What Data?
      • "Protect the Data" Where?
      • "Protect the Data" from Whom?
      • "Protect the Data" Idiot!
      • NSM in Products
      • Technical Visibility Levels
      • Hakin9 5/2009 Issue
      • Incident Handler, Incident Analyst, Threat Analyst...
      • Traffic Talk 7 Posted
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile