Marketing Security

rudolph — Sun, 01 Apr 2007 18:27:57 GMT

Well it's been a while since I last posted – no excuses but it has been a few stressful weeks – end of quarters, travel across the world and all. In any case I wanted to follow up with the general theme of security evolved that I got started last time. One of the interesting things that has happened in the last year or so is that security for some has changed from something to be ashamed of and a pain point to an advantage of sorts. Case in point is Apple which through its Mac-PC commercials appears to trump its security (among other attributes) over the competition. This is interesting for a couple of reasons in my mind. Firstly, it shows that security has stepped out of the technical echelons and made its way all the way to the marketing department (which if you believe the stereotypes is meant to be one of the clueless departments competing hard for the most clueless with the sales guys ;)). This in turn leads to the second reason. One thing a good marketing department (and whether you like them or not or whether you believe the commercials or not, you have to agree Apple has one of the best) is good at is at coming up with important reasons why customers should buy their product. This in turn implies that whatever this competitive advantage is, it is only an advantage if it makes a difference to the consumer. Now in my little mind what that means is in Apple's wisdom security is something that end users care about – and remember they are talking about primarily consumers not enterprises. From my perspective this is pretty big and it would be interesting to see or hear about the research that went into coming up with this marketing strategy i.e. how much do users care about security as an attribute, how does it compare to performance or usability etc. I would think someone at Apple has these answers and these could help answer the ever pertinent "What's the ROI for security?" or even the more basic "Why security?".

The other kind of related phenomenon is what has happened at the security conferences over the last few years. Almost every security conference that I attended or was interested in or that someone I knew attended or was interested was dominated by pretty much company – Microsoft. Microsoft was not only a major sponsor but also had employees presenting and not just one or two presentations – heck at Blackhat 2006 they had an entire track. In my humble opinion a lot of this was marketing around the release of Vista and the security advances that it brings to the table as compared to prior versions of Windows. The interesting I learned is that the Security Technology Business Unit (or whatever it is called now – given all the reorganizations) which is responsible for Windows security actually has a Marketing person. I would guess this person is tasked to a large extent with PR associated with the Patch Tuesday releases, but it wouldn't surprise me if part of the focus is also on marketing security as a competitive advantage for the Windows platform and the other Microsoft products.

Anyways just theories obviously since I have no insider information but I do think it is a interesting transition from defensive security to offensive security if I may call it that. On the other hand maybe I am reading too much into this trend…

Security Evolved

rudolph — Sat, 03 Mar 2007 22:50:12 GMT

It is interesting to see how security has transformed over the years. Back in the 80s it was pretty much that no one cared about it. Or more appropriately the only people that cared about it were the true technologists and the geeks – case in point being the Morris Worm which was primarily intended not to be a security attack but an experiment (gone horribly wrong) to measure the size of the Internet but more specifically the academic networks of the time. Then came the late 80s and 90s and suddenly security was on everyone's mind but in a weird kind of way – essentially we got caught with our pants down and this led to significant amounts of innovation (if you can call it that) and productizing that saw the birth of CERT, the first network based vulnerability assessment tool, the first anti virus software and the first network security devices. Essentially though this was as an era of a lack of knowledge i.e. there were very few "good" guys available who knew what it took to secure computer systems. It was also an era of increasing reliance on computer systems in general from health care to online banking, ecommerce, egovernment and so on… The primary reason for this lack of knowledge in my humble opinion was that it is generally regarded as a bad thing to talk about "bad" stuff. So the knowledge was thus left only in the hands of the "bad" guys!

The next era of security in my mind started with researchers and attackers alike beginning to look for vulnerabilities in released software. From buffer overflows in the 90s to SQL injection and Cross Site * today, this trend has continued. In the late 90s when people had begun to get their act together with regards to securing their networks with firewalls and intrusion detection systems, people starting exploiting vulnerabilities in accessible systems – primarily your web or FTP servers. This in turn gave birth to another slew of products – patch management! We saw first vendors arbitrarily releasing patches in response to exploits released or sometimes if you were lucky enough the exploit was released after the patch. Thus was born the entire paradigm of full disclosure – over the years this in my opinion has kept everyone honest and we have improved as community to a better system where we now see monthly patch schedules and such. This was also most likely the era when an entire career path of "information security" was created. Knowledge was now beginning to spread and in through Art of War style, it became important to understand the ways of the enemy if you were going to defend yourself. Hacking Exposed (the series but in many ways the original book) in many ways changed a lot of minds (created an entire genre I might add!) and it is probably one the biggest reasons for us at Foundstone to feel proud of the company and the people that are and have been there in the past.

At about this point vulnerability disclosures were going through the roof and vendors were truly being troubled with the lack of security in their products and applications. Releasing patches had a number of costs:

Reengineering and redoing work that was not done right the first time
Reputational costs of looking bad in public – being made fun of by your competitors etc.

This was probably one of the earliest points when simply going out and buying a piece of technology or tools (no matter what the marketing department tells you!) would not solve or eliminate the problem. It needed genuine commitment and effort from the inside in. We needed a concentrated on the people, process and technology of systems development. It took a while but companies such as Microsoft among others began investing in security throughout their SDLC processes and again if you put your biases aside for a few minutes you can see that this investment is paying off with fewer vulnerabilities and better security features in their products. Unfortunately however, this attitude was not universal and part of the reason in my opinion is that you often don't think you need something until it comes to bite you in the rear. A number of large software and hardware makers chose to completely ignore security and paid the price as focus shifted to them. Most importantly it was the companies developing line of business software and custom software that were perhaps the most lacking. But if you think about it these are also the makers of the your online backing software, your payroll system and your credit card processing systems.

Enter legislation such as GLBA and California SB 1386 and now suddenly companies had to invest into security or people got thrown into jail – important high ranking people at that! Again the tendency was to look for quick fixes – cheap and dirty. Unfortunately, such solutions rarely work for the specific purpose they are intended for but perhaps most importantly they treat the symptom and not the root cause of the disease. No effort was made to go after the systemic problems – in fact I would even venture to say people didn't see this as a systemic problem. Its only after paying the price of failing audits time and again or worse still being hacked time and again did organizations begin to turn around and see the light so to speak. However, the sad thing is many people are still looking for the quick and dirty fix – hoping a series of band-aids will cure the disease!

Fast forward to today and what are the security issues – identity theft, phishing, social engineering. Back in the 90s when you were hacked, I the attacker wanted you (and indeed the world) to know – I wanted my 15 minutes or 2 days or month of fame. Damn it! I had earned it by using my packet flooding skills! Web defacements were the ultimate rush. Today, in all my experience, attackers no longer want you to know, they want to quietly sit there and steal information, personal information, corporate secrets and national secrets – redirecting these to their databases.

What's the one common trend through all of this? We have always been reactive – following the attackers and their techniques. What are we doing to defend ourselves against this next wave of attacks? Are we truly anticipating and getting prepared? Do we even know what the next type of security issues are going to be? Are we building securable systems? Or are we waiting to evolve and innovate? Someone once said those that don't learn from history are doomed to repeat it – perhaps we in the security community should learn something from our pasts and security in general (outside of information systems) so that we are one step ahead next time instead of hundreds of steps behind.

codesecurely.org : Marketing

Marketing Security

Security Evolved