Re: Strategy

[jf <jf () danglingpointers net>]

firstly, you mean tactics, not strategy- strategy is the overall goal, you
want to win any potential battle based in the realm of computing, the
tactic is how you accomplish it, and i believe the argument was that
because by and large the government and (many/most) us corporations have
bought into standardized platforms sold by likes of most US based AV
companies, et al and Microsoft that assuming that this is a medium for
warfare that it [the tactic] is not asymmetric.

Largely I will agree; for instance, in the government too much emphasis is
put on clearability and whether a person has a previous or current clearance-
which is important, I understand, but a better system for cleaning and
farming out to unclean/uncleared people needs to occur, you simply cannot
pass up on the opportunity to employ the highly talented. Furthermore, in
my experiences in various positions around US organizations, public and
private, there has been a large amount of standardization that causes
weaknesses. For instance, choice of office producitivity suite or rather
vast standardization in a manner that exists in most organizations does
not create an inherant or natural defense.

As someone else noted, the asymmetry of it is that it could be termed as
inverse guerilla warfare, although its only inverse because they're
attacking you in your home whereas its traditionally been employed as a
method for repelling invaders. None the less, arguing though that a
method for enhancing security by reacting to a threat in an
asymmetric manner- by making every third workstation a purple PPC-based
iMac using iLife or whatever the office suite is, and every seventh should
be a mips-based linux box running open office, is imho misguided at best
and more likely half-baked.

I don't disagree that it does indeed natural defense over longer periods
of time, a brief history of infectious diseases firmly establishes this
point, but I'm not terribly positive that most organizations are that
one-sided with many (?most?) still employing any number of different
platforms on the server side.

Think of this for example, consider a network with X admins all with sudo
access and different passwords on Y many boxes. All of these passwords
have to meet given password policy A. Furthermore, each box has a local
root account whose password is not needed and thus daily a script changes
the root password for all Y boxes resulting in Y many more root
passwords based on policy B. Now consider that neither policy A nor B are
secret, and you end up with a situation that accurately models a lot of
networks out there. Mathematically speaking, are you more secure with all
of those root passwords floating around or one single one/one per box?

Things are one-sided in the desktop realm, but honestly instead of
increasing the complexity and your attack surface by introducing X many
office suites, email clients, et cetera and making yourself vulnerable to
them all you should really sit down and pick apart something like antiword
and use it to do basic word parsing (and perhaps statistical analysis of
the resulting text) and put that as an AV-style process on the mail
server and then from the domain enforce safemode in the winword.exe, et
al. I mean seriously, amongst the countries vast resources, public and
private, its not too much of a fuss for someone to do that and just doing
that will increase a large organizations security more 'mixing up' the
workstation environment without making life significantly harder for
everyone in your operations staff.

Or at least, so I think

> On Nov 24, 2007 5:37 AM, Dave Aitel <dave () immunityinc com> wrote:
>
> > If you're reading an information warfare book or paper you'll invariably
> > see a lot of:
> > 1. Inane references to Sun Tzu (or, in some even more horrible cases,
> > any two of Sun Tzu, Clausewitz, and John Boyd)
> > 2. Declarations that information warfare is an "asymmetric attack"
> >
> > It's not asymmetric in the slightest. If you take any significant period
> > of time then the organization with more money has a huge advantage in
> > this game. That doesn't mean that good strategy doesn't hurt, and I
> > wanted to showcase some examples:
> >
> > Halvar gave a talk on his malware classification algorithms and at the
> > beginning of the talk he said "This prevents the malware authors from
> > using off-the-shelf compilers. Current AV technologies don't do this
> > since bypassing them requires this five line Python script which I
> > believe the malware authors have automated."
> >
> > Forcing your opponent to use expensive tools is good strategy. Likewise,
> > choosing to invest in an expensive infrastructure can be good strategy.
> > I believe BinNavi and Immunity Debugger fit this category.
> >
> > In terms of infrastructure, the US .com and .mil communities decided to
> > save money and purchase a mono-culture of Microsoft technologies. Bad
> > strategies like this result in flailing and moaning as you get defeated
> > over and over by someone with better strategy, not because the
> > battlefield is inherently asymmetric.
> >
> > - -dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave