TSC Trusted Advisors’ Blog

Comfort Technology

One thing about testing and reviewing security technology is that you see quite a bit of useless stuff. Whatever the latest security fad is you can be sure that someone is going to try to exploit it for fun and profit. Don’t get me wrong; I think that capitalism is a fine thing. I just want someone else to pay to find the dead-end technology. So many of our security solutions are designed to address one particular problem and nothing else. The problem with that is that many of them are designed to address a non-security related problem – like giving an auditor a warm fuzzy when he looks at your network. “Oh, I see you have a scanner. Let me check this box and move on.” You’re not getting any benefit from it other than the knowledge that you’ve made some auditor happy. You’re comfortable knowing that you’re going to pass the audit.

We call that comfort technology.

So many of the new breed of appliances fall into this category that it boggles the mind. Someone needs to pass a SOx audit so they run out and get an appliance or a template so they can demonstrate that they comply with the law. Great. But how many of these products, which are designed to solve a so-called security problem, are really secure themselves? How many security products have insecure management channels? How many security products rely on DHCP? How many security products have taped the word NAC into their marketing literature or product name? More than you would think. Will the vendor tell you that when you connect a keyboard and a display to the security appliance that you can change the security configuration of the device rendering it useless? (After all, no messages from your security devices means that you’re secure, right?) How about a NAC solution that doesn’t talk to the endpoints?

These are all things that we’ve seen and for some reason vendors continue to think it’s OK. Maybe it’s because their developers aren’t security engineers. I recently ran across a vendor that was very proud of that particular fact. I asked them point blank if they did any security testing and I was neither assured nor comforted that the engineers knew about security.

But people continue to lean on their comfort technology right up to the moment that it fails. Why? Because what you don’t know can hurt you. You don’t know that the product has a security flaw because it was never tested for them. Even some of the vendors that we’ve dealt with didn’t know that some of their basic design decisions created a security flaw that could be exploited with the simplest of means.

Hopefully that’s going to change. We’re asking some hard questions and we’re expecting vendors to answer them because in this day and age we can’t afford to spend our money on comfort technology that puts us at risk.