John Viega is the co-editor of Beautiful Security, the latest in O’Reilly’s “Beautiful” series. He recently talked to me a bit about what makes security beautiful, and what demands modern security problems place on end users and administrators.
James Turner: With Beautiful Code and Beautiful Data, you can think about code or data that’s elegant or has a simplicity to it. When you think about security, you tend to think about diligence and slogging and going through logs and not things you would associate with being beautiful. How do you make security beautiful?
John Viega: The idea behind Beautiful Security was that — you’re right, security is not beautiful in the same way that code is. It’s often a lot of grunt work, and it’s just very challenging to build a good system, not necessarily fun. Although, there are a lot of people who do enjoy it. The idea behind Beautiful Security is more that it’s beautiful when you can actually provide somebody an experience that’s both secure and easy to use.
James Turner: To some extent, isn’t that, in most organizations, diametrically opposed in that the more secure things get, the more you start hearing, “Oh, we can’t do that because we can’t open that port up or whatever”? And, in my experience, the more of one you get, the less of the other you get.
John Viega: It’s usually the case that as you add more security, the usability goes away or as you add more usability, the security goes away. But it doesn’t have to be that way. With a well designed system, often you can make it both easy to use and more secure at the same time. And there are certainly examples of that in Beautiful Security, the book. Things like password systems, for instance. If you do them very well, you can make something that’s more easy to use and more secure than a traditional password system.
James Turner: When you think about security, there’s different layers depending on your level of savviness and the needs you have. If we could just take a couple of minutes to address the various levels. Let’s start at the lowest level. For Joe Blow, home user with cable or a fiber or a DSL line, has it gotten to the point where they have no way of realistically knowing if they’re secure or not?
John Viega: For the home user, I think the security industry does a disservice about making things seem a lot worse than they really are. The security industry sells fear, uncertainty and doubt. Pretty recently, it was revealed that Symantec had been giving gross overestimations of the number of people infected by Conficker, I think. The average home user, as long as they are not doing anything dangerous that leaves them prone to social engineering or out in a very hostile environment like potentially a conference, they’re usually okay. So on your home network, you’re behind a NATing firewall usually. So there’s really little threat from the outside world, except what the user browses to. And then there are tools like Site Advisor that can help make the browsing experience a lot more safe as well.
James Turner: That actually leads to another question I’ve always had. As you mentioned, almost everybody’s behind some kind of a broadband router and doesn’t have their ports exposed to the outside world. Is running a software firewall, which a lot of OSes almost insist you do, actually more kind of like a belt and suspender thing if you already have a NAT?
John Viega: No. There are — especially for mobile users, certainly when you go to Starbucks, you may be visible to a lot more people. When you’re on any open wireless network, you should assume that the security problems on your computer might be accessible to other people. So I think that it’s always best to take a defense in depth strategy. But things aren’t as bad as the industry makes them seem. So, for instance, there’s been a study run by a significant well-known security organization that I won’t name. And it says that if you put a Windows machine on the internet, it takes only, I think, four minutes until it becomes infected. But what they don’t say is that that’s with a very old version of Windows. That really isn’t true for anybody using XP Service Pack 2 or later. Because I think it was Service Pack 2, the change that Microsoft made was the personal firewall on your machine prevents most ports from being accessed unless you specifically allow them. So it basically locks down machines with vulnerabilities and services that you aren’t using.
James Turner: When I started out doing system administration, security was something that you needed to be aware of, that you might need to do a little bit of studying on. But it essentially was something you slap on as knowledge on top of your normal system admin knowledge base. Has it gotten to a level of specialization now that for any reasonably sized organization, you really need to have people who just are security experts, the same way you have people who are just database experts?
John Viega: It really depends. You can be talking about operations or development, software engineering. In large companies, in both of those areas, you tend to have your own people, more so on the ops side than the development side. But there always tends to be some sort of program around security. So most large organizations, for instance, have a chief information security officer who has a team that’s dedicated to the IT security piece. When you get down to the small business, then there’s never any chance that you should have a dedicated security person. And even for most medium businesses, when you’re looking at companies like that, they tend to want to outsource as much as possible the security job. And if they have anything, it’s going to be a fraction of a person.
James Turner: Now that more companies are looking at cloud solutions or hosted solutions like using Google for their mail system and things like that, how is that changing the security picture inside of companies?
John Viega: Well, so most large companies are really interested in the cloud and the benefits it provides. But they’re a little bit apprehensive about potential security issues. At the end of the day, the cloud should eventually be a more secure place to do business, but until we have standards that allow us to have some confidence, people are going to be a little bit skittish. And [we need] standards around, for instance, how people handle data from multiple clients at once, you don’t want data from one customer leaking out to another customer. So there are a lot of additional risks. But, at the same time, once you have good controls to address those risks, there are potential security benefits. So, for example, if you are providing a SaaS-based solution where all of your IP lives in the cloud instead of having some of it go on a client-side piece of code, or if you’re having your service run in the cloud instead of putting it on a device that you ship out to customers, you may be able to actually get some real advantages with security through obscurity because you’re never giving anybody the ability to reverse engineer your code or look at the source code to find security problems. And, you know, even though we don’t like security through obscurity, sometimes it works pretty well.
James Turner: Turning back to the book, it’s essentially a collection of essays by various well-known people in the industry. What are some of the favorite things from your perspective in the book?
John Viega: Beautiful Security has a lot of insightful essays that really look at the security industry in a way that most people don’t think about on a day-in, day-out basis. For example, there’s a great article by Mark Curphey, who founded the Open Web Application Security Group, OWASP, that talks about kind of the emerging technologies like cloud computing, social networking and so on. There are a bunch of essays that talk about looking at security software and asking the question: Does it really make sense to make big investments the way that Microsoft does? Everybody thinks we want secure software, but the question is: Is it cost-effective? And it’s a really interesting question that the book examines. There’s also a great essay on the history of PGP by Phil Zimmermann that everybody who’s as geeky as I am, that’s been around for the last 10 or 15, years will really enjoy. It’s a lot of insight that most people haven’t gotten before.
James Turner: So just to put the book in its place; it doesn’t sound like this would be a replacement for reading a book like Cheswick and Bellovin?
John Viega: Yeah. The idea behind Beautiful Security is to get people thinking and talking about some of the darker issues in information security to help everybody see that security doesn’t have to be dull, about security controls and budgets and things like that. Although, that’s certainly a part of it. We want to tackle the challenges head-on. And the idea of the book is to get people thinking about all of those issues and hopefully discuss them.