The Information Security Industry is like the War on Drugs

After reading this article regarding the state of the IDS/IPS market and how IDS systems still and will likely have their niche, I was reminded of the common problem that plagues both Information Security and the War on Drugs; the majority of the focus is on detection and policing rather than on prevention and treatment, the former of which is usually an expensive, time-consuming, and futile battle.

Now, I’m not talking about prevention in the sense that IPS, or Intrusion Prevention Systems, are using the term. IPS systems attempt to prevent, essentially by filtering, an attack or intrusion that is actually taking place. In my opinion, that is policing. Yes, the device may be “preventing” individual intrusions, when and if it correctly identifies one and blocks it, however it’s overall purpose is to police the network. As network traffic continues to shift toward encrypted protocols, encryption tunnels like IPSec and TLS for wrapping unencrypted protocols, and the overall obfuscation of unencrypted network traffic by using non-standard ports or by tunneling it inside another protocol, an observing device like an IDS or IPS is essentially loosing scope of what it can police, again, a loosing battle. For policing technologies such as these to stay relevant they will have to evolve into an even more trusted device which has keys to the encryption within which there is traffic that they need to inspect, essentially restoring scope of what they can inspect, which unfortunately isn’t even always possible; see protocols that use end-to-end Diffe-Hellman key exchange. Anyhow, how IDS/IPS can stay relevant is a topic for another time…

What I’m talking about here is the treatment and prevention of vulnerability, or remedying the state of a system that results in an attack actually being a threat. If the vulnerability that the attack is attempting to exploit doesn’t exist, the attack is not actually a threat and therefore wouldn’t need to be “prevented” by a policing device in the first place.

What needs to happen in the Information Security industry is a lot more focus needs to be shifted from detection and policing to actually securing the systems that are vulnerable by eliminating the actual vulnerability. Unfortunately, as Bruce Schnier has repeatedly pointed out in essays and on his blog, this won’t happen because it’s an economic problem; The people in the best position (and sometimes, the only position) to fix vulnerabilities don’t incur the cost when those vulnerabilities are exploited, so they generally don’t take the initiative to do so. Rather, the users of the vulnerable systems are hit with the expense of exploitation and have little to no recourse against the vendor. They also generally have no avenue to get the systems they are using fixed outside of waiting for the vendor to acknowledge the vulnerability and fix it themselves. Until the cost of vulnerability exploitation is shifted from the users to the vendors, the vendors have no incentive to be proactive about vulnerability prevention and their customers are relegated to investing in detection and policing technologies.

Anyone who knows me well will tell you that one of my pet peeves is wasting time and effort addressing symptoms of a problem when you really should be addressing the problem itself, and unfortunately that is the state that the Information Security industry has been forced into by vendors of insecure products. Normally I’m not a fan of government interference via legislation, however in this case it may be the only way to shift the cost of vulnerability exploitation from the users of a system to that system’s vendor, because the vendors sure won’t volunteer to incur the costs themselves.

Leave a Reply