The Security Poverty Line and Junk Food

Monday, April 16, 2012

Wendy Nather


I've given talks on this before, and published a report (available for free here), but I haven't really put everything in one place until now. 

I coined the term "security poverty line" to describe those organizations that, for one reason or another (usually a lack of IT funds), can't afford to reach an effective level of security, much less compliance with security regulations.

When you don't have a lot of IT money, you can't afford your own IT staff (or you go with whatever you can borrow or rent).  This means you don't have in-house expertise to maintain a decent level of security controls and monitoring, even assuming you get systems and networks configured right to begin with. 

As we all know, security is an ongoing process, and if you have Jane the IT Girl as your sole resource, she's going to be too busy troubleshooting problems and installing new systems to be able to maintain the existing ones in a proactive fashion.

Organizations below the SPL tend to be inordinately dependent on third parties for this reason, and since they're so dependent, they have less direct control over the security of the systems they use.  They also end up ceding risk decisions to third parties that they ideally should be making themselves.

And they don't have resources for luxuries, such as separate systems for different tasks, or different personnel to achieve segregation of duties.  They'll tend to throw everything on the existing old hardware until it breaks, or until the performance is so unacceptable that they're forced into paying for more. 

(This is why nobody should be surprised that the public sector has to struggle with crowded, antiquated systems.  How many taxpayers are going to pay for upgrades just to keep everything new and shiny, when the old systems were working just fine?) 

They'll share data and networks with partners. They'll use the cheapest software they can find regardless of its quality or security.  And they'll have all sorts of kludges and back doors to make administration easier for whoever they can convince to do it.

So although some people see the failure to achieve compliance or effective security as simply a matter of attitude ("if you really cared about auto safety, you'd buy a Mercedes!"), it's not that simple.  Even upgrading and untangling a set of legacy systems can double the cost of migration to a new platform, due to system inertia and missing institutional knowledge. 

Any consultant who has had to step in to one of these environments to fix something knows what it's like to pull on one thread that appears to have an obvious solution, and discover that it's attached to too many other things that can't be easily changed.

Not only that, but certain types of security technology are more expensive than others.  In a talk I gave at the UNITED Security Summit last year, I showed some figures from some back-of-the-envelope surveying I did on what $2,000 can buy you; slides are available here. (Even $2k is a lot of money to justify spending on security for a lot of these organizations.) 

As it turns out, most of the affordable security technology is the oldest kind, the least effective, and mostly preventive in nature -- firewalls, antivirus, and a scanner that will tell you what's wrong with your systems that you can't afford to fix. 

The newer stuff, especially anything that involves proactive work and monitoring, is out of reach.  Enterprises below the SPL are not only stuck with the equivalent of burgers and fries, they can't afford any vegetables (thanks to Alan Shimel for making this more explicit).

Open source, you say?  Tell me if your dentist's office uses open source software, and who there knows how to install and maintain it.  Open source software is expensive when you include the expertise needed for support.  (I chatted with Alan about this one time when a recording was running.)

What this means is that many organizations that slip into security poverty tend to get trapped there.  Unless they can afford to do a greenfield transfer to a provider with a squeaky-clean new network and managed security services, they will just keep patching what they have, and only do the minimum that is going to fend off their biggest, most visible risk: the auditor. 

Rather than continuing to beat them with the compliance stick until morale improves, we need to make security services more affordable (and there are some providers who are working on just that).  We need to build security into products and deliver them already secured, so that security isn't an add-on luxury.

We also need to create more hands-on resources -- perhaps as a community service -- that poorer organizations can draw on, not just to give them guidelines, but to adapt them to what they can afford to do.

And finally, we need to be able to state clearly what effective security looks like.  The great thing about compliance (yes, I really did just write that) is that you know when you're done.  When the last box has been checked, you have that sense of accomplishment, and it's straightforward to know whether you pass or not. 

I challenge anyone in the security community to tell me what, say, a 50-person company needs to buy -- even assuming they have a blank check -- to make sure they are doing everything necessary to manage their risk.  (Hell, I challenge anyone to tell me what their risk is without using colors.)

At least there's a food pyramid (or plate, or whatever -- they keep changing it) to describe the minimum daily requirements for nutrition.  What should be on the security plate for a healthy organization?

Cross-posted from Idoneous Security

Possibly Related Articles:
Enterprise Security
Information Security
Budgets Security Strategies Small Business Outsourcing Data Loss Prevention Managed Services Third Party Information Security Legacy Systems IT Security
Post Rating I Like this!
Pete Herzog Unlike many people below the actual poverty line, most businesses have some resources to meet basic security needs. The concept of "growing your own" does exist well in security because people have free and easy access to the "fertile soil of information" to keep from starving. What you're saying here might be closer to the disaster caused by Nestle years ago in South America making women dependent on a product for feeding their babies instead of producing it themselves. You only talk about buying products. That's talk for large organizations where the use of products is necessary to reduce security management for the thousands of systems more than they use it to reduce security risk. That's significant. So although I'm sure there is an organizational size where the economics of managing security is at its highest despite risk being equally high, that number it certainly not 50. That's because security is not about products or buying things. They help and can take the edge off some aspects of security but they're not the answer. You can do most of what you need through configuration and controlling the environment. Products which you could use to prevent, deny, and control interactions can be cheap and easy to use. Even "open source" security software doesn't mean Linux/BSD only. You can find it for all platforms. Probably the only disadvantage these people below the security poverty line suffer is a lack of flexibility. You can't cater to many unique desktops and special system configurations if you don't have the human resources to set them all up. So you need to clone desktops with the proper apps and configurations. You need to disallow the "install what you want" mentality in employees. As I say, getting nearly perfectly balanced security with operations is possible at a very low price but it requires commitment. But unlike those who are below the poverty line because they choose not to make commitments, there's nothing but opportunity for the ones who want to work to rise out of it. And I can show you. The OSSTMM explains how.
Marc Quibell I enjoyed this article. There is something that has to be said however about the quality and number of IT staff in relation to the size of the company and it's IT resources, along with the amount of due diligence required. Good stuff though!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.