In reference to: Information security – are we experiencing a Pax Romana?

Pax Romana is a fallacy in Information Security, especially when you consider the plethora of technology and the rapid injection of new technology daily, not to mention convoluted information sharing architectures we have today. I have never been one to scream the sky is falling, but when I know there are people out there looking for a new system to burn or new ways to burn them, I think an article like this is premature, especially when there is money to be made.  The problem these days is that there are no “easy” targets or low-hanging fruit, but there are targets [1].  The software and hardware requires time and money to find vulnerabilities, and the vulnerabilities will be 2nd order plus, which requires setting all the right conditions on the systems before the vulnerabilities actually surface [2]. This makes exploitation difficult but not impossible, and additionally it raises the cost and time investment for each exploit. This means these exploits will not be “free” and if the teams that identify the vulns. and develop the exploits are smart, they will draw a hefty price from any side of the globe. Thats right for all you CW drummers, anyone.

Rather than waiting for the next storm, larger organizations should be evaluating their exposure and fielding in-house vulnerability/security researchers to ensure they are not on the violent edge of these swords when they start to fall.  Additionally, they should take time to train their resident experts, because when the next generation of security failures do arrive, life will be painful. My intuition tells me the exploit packages and follow-on malware will be engineered and crafted to protect the investment made to identify and develop them. Rather than a patch and fix issue, we will be looking at months, if not years (worst case), turn around times because architectures may need to be reworked, rewritten, or worst case redesigned.

[1] Daily Dave, “Exploits Matter.” http://lists.immunitysec.com/pipermail/dailydave/2009-October/005914.html
[2] NGS Software, ” Second Order Code Injection Attacks”, www.ngssoftware.com/papers/SecondOrderCodeInjection.pdf