Technology vs risk management

If you have identified a gap in your security posture, then you have to make decisions on how to fill it. One of those decisions may lead you to a security product. If that is the case, then most likely you start doing research on the class of products to see if they are going to fit in your environment, and you want to be sure that the products actually do what they claim to do. Makes sense. But what happens when all you come across an article that states that some smart person got together with a bunch of other smart people and figured out a way to bypass or otherwise crack the security product at which you are looking?

I recently had a discussion with an old boss in this same situation. He was looking into the merits of NAC and received some negative feedback from a senior technical member of his staff. He asked me about the efficacy of NAC and to look over the objections and see what I thought of them, so I thought I would share some of those thoughts and some others about this. So without getting into what the staff member's objections are (that's not the point of this post), here is what I said:

His argument is technically valid. However, he is assuming maliciousness. NAC is not really meant to stop the malicious user. It is all risk-based. What is the probable risk of you having a malicious user on your network with the skill to <perform the work around mentioned>? And if the network guys have done their job right, the user would not have the access to <perform that hack> anyway. NAC is meant to protect against the typical scenario of a user coming in with a laptop and spreading viruses across the network in a non-malicious fashion. For most organizations, I would estimate that to be about 85%-95% of your risk (I don’t have numbers to back that up).

The same arguments against data leak prevention technologies are used. If you just send out bits of the data in a bunch of emails, you can get it out. Well, yes. But are you protecting against the malicious user trying to send out your customer list or the inadvertent release of data that happens at a much, much higher rate? Protecting against both is nirvana. But as I have always said, a determined attacker is almost always impossible to stop. All you can do is slow them down and contain damage.

Something along these same lines has come to light recently about full disk encryption. The Freedom to Tinker blog posted an article about a month ago about how to defeat FDE by freezing DRAM chips to force the chips to hold onto their contents, thus enabling the attacker to plug in a USB key and downloading the contents of RAM and searching for encryption keys. This is an amazing hack, and I give full props to the guys who came up with it. But from a risk standpoint, how likely is it to happen? Does this mean you should throw out FDE as a valid tool in your security tool belt? No. This hack can be easily defeated by simply maintaining other security measures to keep PC's safe. Yes, that is easier said than done sometimes, but the real risk is still very low.

Going back to the discussion with my boss, the staff member is a huge proponent of network IPS (NIPS). I am also a proponent of that technology, so I agree that it should be in place. However, he thinks it was going to displace NAC because the technology is becoming more and more sophisticated. And his argument against NAC was this:

They only check on connect, what happens if the system gets infected after receiving an IP and being let onto the production VLAN?

Many NAC vendors address that concern by doing checks after the initial login, but I addressed the issue this way:

Again, there is a risk equation here. What is the likelihood of your PC becoming infected on an internal network that has desktop / server AV and NIPS? All the pieces make a whole.

"All the peices make a whole." That means, simply, that you cannot have a magic bullet to secure your network. You use the strengths of each piece, and you mitigate the weaknesses of each piece by another piece (and "piece" does not just mean products - policies, procedures, etc. come into play as well). You should be able to have a very secure infrastructure by using security in depth. If all you do is focus on how each product or process has been hacked by some relatively obscure method, then you will never implement any security measures at all.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon