“Give me a place to stand, and with a lever I will move the whole world.” –Archimedes
In the wake of last week’s disclosure of an attack against Bit9, Jeremiah Grossman seems positively prescient. His New Year’s prediction about security’s immediate future was that attacks against security measures would increase. And why not? If defense is vulnerable, why attack other weaknesses? A takedown of defense could lay a much larger and richer target open to compromise.
Therein lies the key: leverage. An attack that yields far greater results than defeating the immediate objective is using leverage. Minimum effort here yields comparatively much larger results there.
I still don’t think we fully understand what that means.
I applaud Jeremiah for calling out security measures as a likely target – but why should that necessarily mean that an adversary would target the defenses of just one organization? If leverage is so effective at exposing a single entity, why not target an attack against an asset whose compromise could expose so many others?
This is why it’s not just security products that are becoming high-priority targets. It’s the capabilities that, if successfully compromised, expose anyone who relies on them.
We have seen the precursors already, in attacks against RSA, certificate authorities, and others whose assets protect hundreds or thousands of organizations and millions of individuals. Bit9 is only the latest. There will be others. The objective is not to compromise the victim organization. It is to compromise the defenses of many, many more.
This should be a wake-up call to the security industry – but here, too, we may not really get it…yet.
It certainly means that any provider of leverageable capabilities must step up their game – because compromise for them is a matter of when, not if:
- The security market includes those who provide tools and guide practices for improving the security of applications. How many apply those tools and practices to their own products and services?
- Intelligence has become a watchword in the security industry in recent years. How many providers focus their efforts on gathering and responding to intelligence regarding their own operations?
- Response itself has become one of the most glaring defects of the security industry. Bit9′s response demonstrates how the industry is progressing. More providers should learn from these lessons in preparing for a crisis and responding in a planned and demonstrably beneficial way.
- Security vendors are not the only ones likely to be targeted in a leverage attack, however – as our ongoing Java woes should make clear. Enterprise IT management system vendors, for example, should take note: How could a compromise of highly sensitive control or defense functionality in your products – or (more likely) a lack thereof – be exploited to attack hundreds or thousands of your customers? What should the impact on security vendors be telling you about how you should prepare? Because you are a target, too. Not will be. Are.
But how do these targeted organizations determine how much investment in better response is enough? This is not just the tired old security-spending-will-sap-our-ability-to-compete dodge. If the impact of a successful leverage attack can be measured in the downstream impact on hundreds or thousands if not millions of others rendered exposed, how can any one organization marshal more assets than it has, no matter how much it could spend?
If the industry is under attack, it’s the industry that must respond. Security vendors who seize upon the opportunity to pile on a compromised competitor have not learned the lesson of leverage yet. It seems just a little ironic to me that we are often the ones calling on others to be more forthright in championing breach disclosure, sharing intelligence and improving response among peers, when we enthusiastically shoot our own wounded.
Perhaps it’s time we took a little of our own medicine – because if we don’t, regulators will most assuredly try to find some way to force it down our throats.