Marcus Ranum: The Biggest Security Threats Getting the Least Attention
A renowned expert in secure systems and design, Ranum, currently the CSO of Tenable Security, offers a new look at topics such as the risks of cloud computing and what he calls the myth of cyber warfare.
In an exclusive interview, Ranum discusses:
Ranum, since the late 1980's, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
TOM FIELD: What are the top information security concerns as we head into 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Marcus Ranum, Chief Security Officer of Tenable Security. Marcus, thanks so much for joining me.
MARCUS RANUM: My pleasure.
FIELD: Marcus, you are well known. People have known you and known your work for decades now, literally. Tell us a bit about what you are doing these days please with Tenable.
RANUM: Well, as the CSO I guess my main job is really to evangelize the company and our products and to get word out there, but I am very fortunate because the position that I've got allows me a great deal of leeway to pretty much say what I think and sort of think about whatever I am interested in. And so I kind of do a lot of work with media, and I do a lot of writing and blogging on security topics.
FIELD: Give us a sense of what are the biggest things on your mind right now as far as information security concerns as we head into the new year.
RANUM: Well, there are two problems that have been on my mind since the late 1980s, and those are just that distributed data -- putting your data all over your network and your enterprise in order to make it more convenient for access -- represents vulnerability everywhere. And some of the old school security practitioners have been saying this for a very long time. You know, you get this stuff in everybody's hands, and it is going to leak from everybody's hands because not everybody is on the same chart as far as worrying about keeping data from being exposed.
And then the endpoint security issue is another one. I think it is flat-out pathetic that it is 2009 and we are still running operating systems that are susceptible to malware and trojan horses and viruses and stuff like that. It is really sad. I mean pretty much every Intel processor has got the Trusted Programming Module, the TPM in it, and why operating systems aren't keeping track of this stuff, well...the reason is convenience. I think sooner or later the industry is going to have to wake up that we are really giving the whole game away just so that people don't have to click okay or think a few seconds before they install a new flash drive or something like that.
FIELD: What do you find to be the biggest threats that get the least attention?
RANUM: Again, I would come back to the whole malware issue. People sit there and they kind of go, 'Well, we've really haven't had a big problem with it; it's only a home user problem.' Somebody's got remote control over your system, and you don't care? The typical home user, when we talk to the home user and they say you shouldn't be worried about this stuff and they kind of go, 'Well you know it's okay; it doesn't slow my internet connection down too much.' And I really think that is what the problem is.
And again, businesses have got their heads in the sand because they say "Well, that's the typical home user problem and that is not a business issue,' but it is a business issue. That home user is going to stick a USB thumbdrive in some thing, and he is going to bring malware into the office with him, or he is going to access the corporate assets from home on a VPN using a machine that is completely owned by every hacker on the planet. Transitive trust is the name of the game, and transitive trust has always been the hardest problem in security. And unfortunately because it is a very difficult problem, a lot of people have their head in the sand about it. FIELD: Well, I would ask you what it takes to wake people up, but if a TJX or a Heartland doesn't wake up people in organizations, what will?
RANUM: I don't think anything will at this point. I mean, I have been doing this long enough, the security community has always said 'Oh, this is a wake up call, and this is a wake up call,' -- we've had 20 years of wake up calls. I think at this point it is pretty safe to just assume that people just aren't going to get it. I really am completely baffled.
I mean. what it is going to take? Is it going to take somebody crashing the entire power grid for a month? Maybe that would get people's attention, you know. I don't know.
FIELD: Safe to say that the wake-up calls instead are snooze alarms?
RANUM: Yeah, well you know it is really bizarre. Human nature is fascinating, and our ability to absorb punishment is really amazing. If you want to think about it from a different perspective, just ask yourself how many life years of human life have been wasted dealing with problems resulting from just viruses and robotic worms? Thousands and thousand and thousands of man hours have gone down the toilet in IT departments and in home users trying to deal with these problems, and stacked up against that is this kind of lure of convenience on the flip side. Frankly, if the fact that we have been wasting our time dealing with these issues for 20 years isn't a wake up call, I don't know what is.
FIELD: Marcus, let me ask you about a few specific areas that you have talked about elsewhere. Cloud computing for one. Everyone is talking about it like it is the newest thing to come to planet Earth, but certainly we have talked about variations of this for years. What are the greatest risks of this new great thing that people have discovered?
RANUM: Oh, that's a really great question. I mean one of the things that is funny is that people get all upset about cloud computing, and I would like to point out that most banks, medium to small sized banks that have relationships with firms like FISERV that are essentially a remote mainframe that sits someplace and is out in the cloud, it's on a private network link, but that is cloud computing and this has been going on for a very, very long time. All the airlines use the cloud computing service we call SABRE, and they have been using it since the 1970s, so I don't think that some aspects of cloud computing are new. But the thing that is going to happen with any new technology that comes along is you get new problems that people just haven't thought of yet. It gives the bad guys an opportunity to invent new ways to mess with the system.
I was at a session a couple of weeks ago, and we were talking about cloud computing and somebody said, 'Well it's okay for you to put your data out there as long as you encrypt it,' which is a reasonable first order response. And then I raised my hand and said, 'Well, you know you realize that it is not just that somebody could decrypt the data or access your data that is the problem; what if somebody just deletes all your data?' There's data out in the cloud and someone breaks into the cloud and someone tells the cloud now delete my data - oops.
There are different exposures. There are new kinds of problems that are different, but the interesting thing is that the problems kind of move around. If you are worried about someone deleting your data, I suppose you should ask whether your administrator is trustworthy. What if your system administrator goes crazy and decides to delete your data?
So all that cloud computing does is let you kind of move some of your problems into different places than where they are now, and you pay more or less money for doing that. If you outsource stuff, you have moved your entire problem into somebody else's hands, and you have got to worry about negotiating service level agreements and all that sort of thing, which is exactly the same problem that still doesn't go away. And if you do it in house, you have to actually do the work but you don't have to negotiate the service level agreement with yourself.
What I find with this stuff is that the difficulty kind of squishes around, but it doesn't either go away or get too much worse. The main place where cloud computing is certainly incredibly exciting potential is for someone who is doing something completely new because you don't have any legacy code, you don't have to worry about bringing your old business practices slowly into the cloud. You can look at the cloud and go, 'Well how can I leverage this, leverage the hell out of it and be up and running right away?" I think a lot of organizations that are looking at these kinds of cloud success stories don't quite understand that they are not going to be able to take their legacy application and just move it into a cloud without essentially recording the whole thing. In that sort of situation I try to encourage people to think of cloud computing as an opportunity to do business process reengineering.
FIELD: Another topic for you, Marcus, cyber warfare. This got a lot of people's concern this year, especially around the Fourth of July when they thought that foreign entities were starting to hack into the U.S. government. How do you separate myth from reality here?
RANUM: Well, as far as I am concerned it is all myth. What happens is that--well first off, it really annoys me that people call something cyber whatever just because it is touched a microprocessor. I mean, every single thing in the world that we are doing right now touches microprocessors, but I don't go around talking about my cyber toaster and my cyber coffee machine. I think when people talk about cyber whatever, they are basically saying 'I don't want this to be treated as a separate budget line item so that I can do some empire building in my bureaucracy.'
But there are multiple problems here. There is cyber crime, there is cyber espionage, which is just espionage except it has touched microprocessors, you know there is this cyber war concept, and there is also the potential for cyber terrorism. Those things are all completely different.
A notion of cyber terrorism is a real threat. I think that there is a potential that disgruntled individuals can go around unilaterally doing damage. And we saw the incident in Estonia last year was a single disgruntled individual who basically decided he was going to take on a government and for a while he was winning. That is not cyber war; that is a single individual who is taking an action.
The problem with the notion of cyber war is you have to look at state versus state activity, and then you have got to ask yourself whether that makes any sense. You know, the U.S. and Russia are not going to get into a cyber war. Okay, we will get into a real war if we got into a war at all, but we are not going to crash each other's networks. And the reason for that is first off, it interferes with your espionage ability. When you take down your target's networks, you have just blinded your spies, and it is bad for business.
So I think that the whole thing about cyber war is just being ridiculously oversold. I saw an article a couple of weeks ago about a counter insurgency operation in Iraq. It was billed as a big cyber war success story, and you know you read about it and it is kind of, well they were listening in on the insurgents' communications using radio intelligence techniques, and they did some penetrations against some computers based on that and they were able to have some soldiers in the correct place to foil an attack. Honestly, what about that is cyber war? That sounds like battlefield intelligence being executed effectively. So the whole thing I think is largely mythological, but since we spent so much money on it, the people who encouraged us to spend money it are basically just trying to get the government to double-down I guess.
FIELD: Marcus, another area where people spend a lot of money: penetrating testing. When is that simply a waste of their time and resources?
RANUM: Well, I think penetration testing is almost always a waste of time. What you really--computer security practitioners have not done a very good job of reading the literature on testing methodologies and engineering. If you are going test something, if you are going to call something a test, you actually have to have a result in that test that could be meaningful. You are going to test a steel I-beam against so many pounds per square inch of pressure or something like that. A penetration test doesn't tell you are secure. A penetration test either tells you your network sucks or your penetration testers couldn't get into it. None of the results that you get back from a penetration test are 'your network is secure.' The problem is that is why people want to do a penetration test. They want to convince themselves that their network is secure. Well, if you want to convince yourself that your network is secure, what you really need to do is do bottom up design methodology and then test your components individually to see if your components are working and if your overall design leads to security as a result of how you have to plug your components, then I think you can actually say something useful. But unfortunately in a lot of the cases where I see penetration tests being done, it really shows that you are given a dysfunctional organizational politics or bad management, which really are the same thing, right? One business unit decides they are going to do something, and the security team decides to do a penetration test just so that they can try to shell the project that they think is a bad idea or something like that. And then the other one that happens fairly often is people will say, 'Well, we are not going to do anything about security unless you can show us that there is a problem'. So then money is spent to do a penetration test just to show somebody that they should have listened to one of their co-workers, which if you think about that is just shockingly unprofessional.
So unfortunately, when I see organizations that are doing penetration tests I usually think, well you know either they have been snookered under this PCI label and they are required to do a penetration test, which that can't surprise you that that's part of a PCI Standard because it was written by penetration testers. But it usually just shows me that it's an organization that is dysfunctional or badly managed.
FIELD: One last question for you, Marcus, and I am going to take you in a different direction entirely. We've got an information security profession that has really matured a lot over the last five or six years. For someone that is looking to start a career there today, or restart one if they want to move from another discipline, where should one begin?
RANUM: Well, I honestly think computer security, except for niche practitioners who have specific specialties, like a digital forensics analysis guy or something like that; I think computer security is going to wind up melting back into the landscape as a result of all of the audit that is going on. So, unfortunately the practical answer in the short-term would be if you want to get into the security field, be aware there is going to be a tremendous amount of work in the legal profession surrounding computer security in the not too distant future. And unfortunately, auditing is the other alternative, although I would rather hammer nails into my head than be an auditor; talk about unpleasant work.
So my suggestion, honestly, would be to kind of avoid computer security unless you want to do bookkeeping because I think that unfortunately as a side effect of all of the new standards and audits that are coming in, computer security is not going to be able to innovate anymore. I think the days when somebody could get up on a Friday and build a firewall and have it working by Monday, those are gone because now the auditors are going to come in and go 'Now you have to buy an improved product.' So the ability for individual contributors to innovate and do interesting things in security is going to continue to erode in the next five to ten years to the point where I think security is really not going to be very interesting anymore.
FIELD: Well, Marcus, I appreciate your time and your insight today. Thank you so much.
RANUM: Well, it's been fun. Thank you.
FIELD: I've been talking with Marcus Ranum, Chief Security Officer with Tenable Security. For Information Security Media Group, I'm Tom Field. Thank you very much.