Michael Farnum wrote a post on his blog, in which he referred to another post that said:

  • Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, "properly configured," not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
  • Detecting current attacks in "real time" is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by "rich Internet applications" and frameworks. I realized that the "rich" in "RIA" refers to the money intruders will make by exploiting Web clients.
  • The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it's time to face the truth. There is no way to get "ahead of the threat" here.

Michael states that he now officiall depressed.

While I mostly agree with the observations, I do not agree with his conclusion; I was at the annual FIRST conference last year, and I attended a session about the malware marketplace. If you see the amount of (criminal) information that is being traded in underground networks, and the prices at which these trades are made, you know that as an information security professional, you should have your technical and administrative controls in place, but you should never have the illusion that you are fully protected. It is too easy for a determined attacker to bypass the defenses that you have in place by finding new attack vectors that you have not thought of before. A typical example is the continuous information leakage that happens through peer-to-peer file-sharing networks, such as eDonkey, and company. The fact that organization perimeters are fading is not new.

It is my personal opinion that effective information security needs technical measures, but that a /real/ awareness in the user constituency is crucial to success. An organization's perimeter must include the organization's constituents The Wall Street Journal article of July 30, 2007 illustrates this.

Another observation is that things will go wrong and that properly developed incident response capabilities are vital; in the public space we also acknowledge this by having ambulances and firetrucks manned at all times; despite all the prevention that we do, things will go wrong.