Information Security: Not A Permanent Cashcow

I’ve been saying for years that the time of the mediocre security professional is nearly up. We in information security are a bunch of maggots playing in an open wound if you ask me. That’s what Information Technology is today — a gaping wound. Once that’s not the case anymore, i.e. once the industry matures a bit, most many in the field are going to need to find new careers.

To put some numbers on overall IT maturity (which is inherently stupid, btw), I’d say that we have a scale from 0 to 99 — with 0 being the bottom, where most everything is exploitable and nothing is safe once on a network. 99 would represent a time when we can deploy any IT solution and have it be uncrackable (not going to happen). A score of roughly 80 yields systems that can be put on the Internet and not be cracked for years at a time, with no updates whatsoever.

Well, friends and neighbors, we’re in our infancy. We’re hovering around a 10 or so on this scale of mine, and it’s highly foolish to think that we are at a 10 because the problems are unsolvable.

They only linger because our entire infrastructure is based on the very first attempts at computer technology — and those attempts were put together with no consideration for security whatsoever.

As a result, it’s quite foolish to just throw up our hands (like the media tend to do) and say that the bad guys are just too smart, and there’s nothing we can do to keep our infrastructure from being potentially rooted every few weeks.

We’re using technology that was never built to be audited, probed, or otherwise tested for quality. Hell, no one even planned on it becoming popular. You can’t take that paradigm, stack a billion users on it (many of which are now malicious), watch it buckle, and say, “we tried our best, we can’t secure it”.

Consider what’ll happen when new technologies are released that don’t allow arbitrary code to be executed. What happens when only “known good” content can be run? What about when the languages used are so safe that it’s nearly impossible to write dangerous code? And what about the compilers? It won’t be long before compilers are able to audit your code, see you’re getting sloppy, refuse to compile it, and then send an email to your manager. :)

Once these types of approaches are put into place at all levels (processors, memory management, languages, IDEs, compilers, etc.) we’re going to jump from like a 10 to a 60 in roughly 10 years (I’m guessing).

To be blunt, the IT tools in use today (our operating systems, etc) are giant stacks of Legos surrounded by piecemeal bits of cardboard “protection”. Attackers merely stand back, choose their opening, and tear things up at will. Another (also quite imperfect) analogy I like is that of current computers being idiot robots that will run anything once their simple filters are passed.

Someone wants to hide shellcode in an email address entry? Sure, sounds good — I’ll run that rm -rf command for you. It’s almost like every computer is offering users all of its functionality, and all you have to do is confuse it in order to get to the “extended” features.

Take Microsoft’s SMB services, for example. The computer is claiming to offer a file/print sharing service (and ONLY a file/print sharing service) but using recent vulnerabilities you can add users via the very same service. How in the hell can you add administrator-level users through a file sharing interface?

Idiot robots guarding their powers — that’s how.

The fact of the matter is that file sharing interfaces shouldn’t have access to any “powers” other than file sharing — not adding users, not binding shells — nothing.

These issues are transient, however. Changes will come, and when they do we’re going to start seeing highly resilient systems that stand up to most anything for very long periods of time. Will this “fix” technology? Will it make things “secure”? Of course not. You can never solve idiocy, and idiocy is what will keep many of us in business long after the technology gets cleaned up.

But the days of anyone with “security” in their title getting paid stupid amounts of money are coming to an end. As the wound closes, there will be less room for semi-enthused opportunists who feed off the misfortune spawned from IT’s youth. Our industry is filled with these types right now, and they’d be wise to start looking for the next big thing.