Dailydave mailing list archives
Re: Strategy
From: jf <jf () danglingpointers net>
Date: Tue, 27 Nov 2007 01:33:21 +0000 (UTC)
firstly, you mean tactics, not strategy- strategy is the overall goal, you want to win any potential battle based in the realm of computing, the tactic is how you accomplish it, and i believe the argument was that because by and large the government and (many/most) us corporations have bought into standardized platforms sold by likes of most US based AV companies, et al and Microsoft that assuming that this is a medium for warfare that it [the tactic] is not asymmetric. Largely I will agree; for instance, in the government too much emphasis is put on clearability and whether a person has a previous or current clearance- which is important, I understand, but a better system for cleaning and farming out to unclean/uncleared people needs to occur, you simply cannot pass up on the opportunity to employ the highly talented. Furthermore, in my experiences in various positions around US organizations, public and private, there has been a large amount of standardization that causes weaknesses. For instance, choice of office producitivity suite or rather vast standardization in a manner that exists in most organizations does not create an inherant or natural defense. As someone else noted, the asymmetry of it is that it could be termed as inverse guerilla warfare, although its only inverse because they're attacking you in your home whereas its traditionally been employed as a method for repelling invaders. None the less, arguing though that a method for enhancing security by reacting to a threat in an asymmetric manner- by making every third workstation a purple PPC-based iMac using iLife or whatever the office suite is, and every seventh should be a mips-based linux box running open office, is imho misguided at best and more likely half-baked. I don't disagree that it does indeed natural defense over longer periods of time, a brief history of infectious diseases firmly establishes this point, but I'm not terribly positive that most organizations are that one-sided with many (?most?) still employing any number of different platforms on the server side. Think of this for example, consider a network with X admins all with sudo access and different passwords on Y many boxes. All of these passwords have to meet given password policy A. Furthermore, each box has a local root account whose password is not needed and thus daily a script changes the root password for all Y boxes resulting in Y many more root passwords based on policy B. Now consider that neither policy A nor B are secret, and you end up with a situation that accurately models a lot of networks out there. Mathematically speaking, are you more secure with all of those root passwords floating around or one single one/one per box? Things are one-sided in the desktop realm, but honestly instead of increasing the complexity and your attack surface by introducing X many office suites, email clients, et cetera and making yourself vulnerable to them all you should really sit down and pick apart something like antiword and use it to do basic word parsing (and perhaps statistical analysis of the resulting text) and put that as an AV-style process on the mail server and then from the domain enforce safemode in the winword.exe, et al. I mean seriously, amongst the countries vast resources, public and private, its not too much of a fuss for someone to do that and just doing that will increase a large organizations security more 'mixing up' the workstation environment without making life significantly harder for everyone in your operations staff. Or at least, so I think
On Nov 24, 2007 5:37 AM, Dave Aitel <dave () immunityinc com> wrote:If you're reading an information warfare book or paper you'll invariably see a lot of: 1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd) 2. Declarations that information warfare is an "asymmetric attack" It's not asymmetric in the slightest. If you take any significant period of time then the organization with more money has a huge advantage in this game. That doesn't mean that good strategy doesn't hurt, and I wanted to showcase some examples: Halvar gave a talk on his malware classification algorithms and at the beginning of the talk he said "This prevents the malware authors from using off-the-shelf compilers. Current AV technologies don't do this since bypassing them requires this five line Python script which I believe the malware authors have automated." Forcing your opponent to use expensive tools is good strategy. Likewise, choosing to invest in an expensive infrastructure can be good strategy. I believe BinNavi and Immunity Debugger fit this category. In terms of infrastructure, the US .com and .mil communities decided to save money and purchase a mono-culture of Microsoft technologies. Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric. - -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Strategy Dave Aitel (Nov 24)
- Re: Strategy Dan Moniz (Nov 25)
- Re: Strategy Richard Thieme (Nov 26)
- Re: Strategy jf (Nov 26)
- Re: Strategy Dan Moniz (Nov 25)