A while ago the phrase "Self-Defending Network" was popularized by Cisco.  I am not sure why I do not hear this phrase often. What's up with that?

Here are reasons why Self-Defending Network is a far-fetched idea:

1. Security is not just technology alone. Security is people, security is process, security is technology.

2. The threats are evolving and moving up the stack. The motive of hackers is financial gain, not ego display as in the past. The exploits are very focused & covert vs. widespread & ostentatious. It is hard for Self-Defending network to identify distinguish a focused & covert traffic from a normal traffic.

3. Network is an ecosystem of software and hardware from multitude of vendors. A Self-Defending Network cannot keep a tab on the vulnerabilities across the board.

4. Number of vulnerabilities is not finite. The permutations and combinations of vulnerabilities add more complexity. Self-Defending Network cannot keep a tab on all those.

5. The components (Firewall, IPS, NAC Et. Al.) of Self-Defending network should evolve synchronously in order to inter-operate and still be effective which is less than likely.

6. Self-Defending network cannot understand your business systems and prioritize risks.

7. Self-Defending Network cannot provide physical security to itself.

and many more..

Building and maintaining a network which can shield network from threats that you perceive as risks to business [within the limits of your budget] is practical.

At RSA 2007 compliance phrases were flying all over, Real-time Compliance, Continuous Compliance, Sustainable Compliance, ad-nauseum. The famous McAfee party was my savior, I downed few glasses of wine and that helped me regain my orientation. Riding back home on the cal-train I was wondering if customers buy vendor phrase or real solution that address their concern. The vendor phrase seems to be an eternal winner.

Recently I attended a Website Security breakfast event organized by WhiteHat. Security expert Bill Penington talked about the lifecycle of vulnerability. Another Security expert Jeremiah Grossman shared some interesting stats about vulnerabilities in web application. This was an event packed with lot of takeaways and also I met several interesting security professionals.

Here are some salient features about website (or web application) security:

1. Web was not inherently designed to be secure ground up.

2. Platforms are insecure (OS, Database, Applications)

3. Web programming languages are immature.

4. Protection mechanism is non-existent by default.

5. Browsers are riddled with security holes.

6. Web programmers and users make mistakes.

7. Web applications change frequently i.e. they have a shorter release cycles.

8. Business logic vulnerabilities are hard to detect.

Very interesting definitions that I found on www.dqchannels.com which I would like to highlight:

'Grayware' is a term that regularly appears on IT and security professionals' radar screens today. An umbrella term applied to a wide range of applications that are installed on a user's computer to track and/or report certain information back to some external source, these applications are usually installed and run without the permission of the user.

Grayware categories

Adware: Adware is usually embedded in freeware applications that users can download and install at no cost. Adware programs are used to load pop-up browser windows to deliver advertisements when the application is open or run.

Dialers: Dialers are grayware applications that are used to control the PC's modem. These applications are generally used to make long distance calls or call premium 900 numbers to create revenue for the thief.

Gaming: Gaming grayware applications are usually installed to provide jokes or nuisance games.

Joke: Joke grayware are applications that are used to change system settings, but do no damage to the system. Examples include changing the system cursor or Windows' background image.

Peer-to-Peer: P2P grayware are applications that are installed to perform file exchanges. (P2P) While P2P is a legitimate protocol that can be used for business purposes, the grayware applications are often used to illegally swap music, movies, and other files.

Spyware: Spyware applications are usually included with freeware. Spyware is designed to track and analyze a user's activity, such a user's web browsing habits. The tracked information is sent back to the originator's Web site where it may be recorded and analyzed. Spyware can be responsible for performance related issues on the user's PC.

Key logger: Key loggers are perhaps one of the most dangerous grayware applications. These programs are installed to capture the keystrokes made on a keyboard. These applications can be designed to capture user and password information, credit card numbers, email, chat, instant messages, and more.

Hijacker: Hijackers are grayware applications that manipulate the Web browser or other settings to change the user's favorite or bookmarked sites, start pages, or menu options. Some hijackers have the ability to manipulate DNS settings to reroute DNS requests to a malicious DNS server.

Plugins: Plugin grayware applications are designed to add additional programs or features to an existing application in an attempt to control, record, and send browsing preferences or other information back to an external destination.

Network management: Network management tools are grayware applications that are designed to be installed to for malicious purposes. These applications are used to change Tools network settings, disrupt network security, or cause other forms of network disruption.

Remote administration tools: These tools are grayware applications that allow an external user to remotely gain access, change, or monitor a computer on a network.

BHO: BHO grayware applications are DLL files that are often installed as part of a software application to allow the program to control the behavior of Internet Explorer. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information stored on the host.

Toolbar: Toolbar grayware applications are installed to modify the computer's existing toolbar features. These programs can be used to monitor web habits, send information back to the developer, or change the functionality of the host.

Download: Downloaders are grayware applications that are installed to allow other software to be downloaded and installed without the user's knowledge. These applications are usually run during the startup process and can be used to install advertising, dial software, or other malicious code.

Professor Eugene Spafford has a nice analysis about RSA 2007 conference.

Early in my career, I had this interesting experience that I would like to share. I worked with a software engineer / architect who was extremely brilliant. He was equally arrogant too.

I found a very serious vulnerability in his code where a hacker could easily hijack a user session. I set up a demo scenario for this and walked up to his office to bring this to his attention. His response to my discovery was more amazing than the vulnerability itself. He thumped his clenched fist on the table and avered " My code is bullet proof". By his immature and stupid reaction the architect increased the cost of vulnerability.

I was deeply upset by his remark. Though it could have easily turned into a heated exchange I restrained myself and walked back to my cube. One among the top management happened to pass by my cube, he looked at the demo scenario and exclaimed "this really sucks!". Eventually the vulnerability was acted up on and a fix was deployed on time.

The way you react to a vulnerability determines the cost of the vulnerability. There is no right answer here. Prudent and Pragmatic approach can reduce the cost and preserve company's brand identity.