MIAMI -- Too many firms are turning to cloud computing resources before knowing the data that needs the most attention, increasing the attack surface and setting up the perfect environment for a breach, according to a prominent security expert.
Dave Aitel, chief technology officer of Miami-based assessment and penetration vendor Immunity Inc. said companies are making it easier for hackers to break into networks by not undertaking data classification. Aitel a well known expert, with roots at NSA and the once prominent security research boutique @stake, railed against jumping head first into cloud computing and criticized traditional security technologies – intrusion prevention and unified threat management appliances – for being too easy for attackers to bypass.
"When you put the kind of money like the Department of Defense has into defenses and you're punching like me instead of Mike Tyson, you've got a problem," Aitel said.
Aitel spoke to hundreds of security professionals, Tuesday, at the Forum of Incident Response and Security Teams (FIRST) Conference 2010. The SDL of all major software vendors is broken, he said. He criticized browser makers for producing shoddy code, called static analysis tools a waste of time and said the hacking community is at least a decade ahead of security professionals tasked with defending company networks.
"Defenses come in two flavors … either a sniffer or a scanner and none of these things work," Aitel said. "Both are terrible ideas that should have died in the 1990s."
Defensive technologies are being built on top of what are really attacking technologies, Aitel said. Some large enterprises pour massive amounts of money into intrusion prevention systems that don't work, he said, adding that his team evaluated three major IPS vendors and ultimately was able to bypass the systems, remaining undetected.
Cloud computing and the technologies that enable cloud-based services are built on top of older technologies that are vulnerable to attack, Aitel said. As a result companies need to better understand their environment before moving systems and data to cloud providers.
"You can't do cloud computing without doing data classification," Aitel said. "If someone breaks into one part of your cloud and if they can get to other parts of your infrastructure, that's really a problem."
Aitel said the only option for defenders is to go on the offense. He urged security professionals to take a strategic deterrence approach in which enterprises can punish attackers for attempting to penetrate systems. The vision is similar to one advocated by Philip Reitinger of the Department of Homeland Security. Reitinger said he envisions software and infrastructure that has built-in defense capabilities, the ability to respond quickly to problems, isolate them and take steps to eradicate them.
When it becomes too expensive for attackers to find vulnerabilities and penetrate systems, then the defenders will begin winning the war, Aitel said. His message was a wake up call to incident responders, who say they are constantly looking for new ways to be more proactive.
"Hackers will generally always be a step ahead of the security community," said a U.K.-based security analyst, adding that he's constantly playing a game of cat and mouse. "We're getting better at what we do, but there's going to always be room for improvement."
Aitel said defending professionally is really a new culture when compared to hackers. Today, some attackers are targeting the security department first, attempting to go after account credentials and mask themselves as legitimate users, he said.
"Defenders are consistently underestimating their opponents," Aitel said.