page-081

2,5 John Doe Has the Upper Hand

get it right oncc. Defenders must service business needs. They can't afford

to devote every waking hour to fending off wolves. Damn it, they have a real

job to do {e.g., unlock accounts, service help desk tickets, respond to ungrate¬

ful users, etc.). The battle cry of every system administrator is "availability,"

and this dictate often trumps security.

Defenders Face Institutional Challenges

Despite the clear and present threats, investigators are often mired by a

poorly organized and underfunded bureaucracy. Imagine being the director

of incident response in a company with more than 300,000 employees and

then having to do battle with the folks in human resources just to assemble

a 10-man computer emergency response team (CERT). This sort of thing

actually happens. Now you can appreciate how difficult it is for the average

security officer at a midsize company to convince his superiors to give him

the resources he needs. As Mandiant's Richard Bejtlich has observed: "1 have

encountered plenty of roles where I am modvated and technically equipped,

but without resources and power. I think that is the standard situation for

incident rcsponders."''�

Security Is a Process (and a Boring One at That)

Would you rather learn how to crack safes or spend your days stuck in the

tedium of the mundane procedures required to properly guard the safe?

Ever-Increasing Complexity

One might be tempted to speculate that as operating systems like Windows

evolve, they'll become more secure, such that the future generations of

malware will dwindle into extinction. This is pleasant fiction at best. It's not

that the major players don't want to respond, it's just that they're so big that

their ability to do so in a timely manner is constrained. The procedures and

protocols that once nurtured growth have become shackles.

For example, according to a report published by Symantec, in the first half

of 2007 there were 64 unpatched enterprise vulnerabilities that Microsoft

failed to (publicly) address.'� This is at least three times as many unpatched

14. http://taosccurity.blogspot.cora/2008/08/gctting-job-done.htnil.

15. Government Internet Security Threat Report, Symantec Corporation, September 2007, p. 44.

Parti I 51