April 29, 2009, 4:19 PM — In the security business we spend a lot of time worrying about the "zero-day" threat that appears out of nowhere and immediately starts attacking a hereto unknown vulnerability. We imagine genius hackers probing software to discover new and unique ways of attacking our systems. We worry about the yet-undiscovered bugs that lie dormant in our operating systems. We worry so much that we overlook the vulnerabilities we already know about. The ones that have been hanging around on our systems, known but unaddressed, unpatched and wide open. The kilo-day threat is the one that we've know about for 1,024+ days, or roughly three years. While mundane and basic info-hygiene is boring it is the best defense.
Look at Conficker for example. In the run up to April 1, the entire IT industry was holding its breath waiting for the potential payload to deploy. IT departments worked urgently to detect and eradicate Conficker from their systems. Yet the patch for the vulnerability that Conficker exploited had been out since October. Many of today's threats (wormy viral trojans) use dozens or even hundreds of exploits to attack targets.
Almost all of these exploits are attacking well known vulnerabilities. Not only are the vulnerabilities known but in many cases there are patches available for them. What's unique about threats today is not their "entry" into our systems but the way they behave once they are there. Threats are more stealthy, propagate more slowly and efficiently and can vary their payload through complex command-and-control systems. But they still get into our systems using well trodden paths that we already know about.
We worry about the wrong threats and then we try to address them with the wrong remedies. We seek wiz-bang remedies to address rare and spectacular threats, instead of mundane security to address common threats. We worry about zero-day while we haven't fixed the kilo-day vulnerabilities. We look for the latest in antivirus and perimeter security but we run all our users as admins. We manage eight DMZs in the most complex firewall configuration ever seen, but haven't patched a server in six months. Mundane security should be celebrated.
The tedious and simple is also the most effective when it comes to security. Fix 20 of the top vulnerabilities that have been known for a while and don't worry about the zero-day as much. Worry about the admin-level users browsing all over the Web in insecure browsers and not whether MD5 is still secure enough to use in your VPN. Worry about the unpatched servers you're running as virtual machines, not whether the hypervisor is secure.
Security should be mundane, simple and repeatable. If it's complex, exciting and new then it's probably not secure.
