Re: Semi-anonymized moderation.

["Mark Loveless" <mloveless () autonomic-networks com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On Mon, Jan 28, 2008 at 09:39:17AM -0500, Someone other than 
> Dave Aitel wrote:
> > Every time I hear the argument that some level of security, 
> even lame 
> > security, is better than NO security, I think about my Zappa 
> > paraphrasing. In my opinion, lame security is WORSE than no 
> security, 
> > simply because most of the people involved (think CxO/pointy-haired 
> > boss
> > types) live with a sense that they are being protected, 
> when in fact 
> > they are not. The ones with no protection are not living a 
> lie -- they 
> > are at least AWARE they really have no security.
>
> Really?  I know this has been said before.  Horse, baseball 
> bat, applying.
>
> Your house still has doors with locks, yet your windows are 
> still trivial to break, bypassing the locks.  Go ahead, 
> remove the locks on the doors because obviously, you are 
> better off without it.
>
> Oh, no windows?  Got siding & drywall house, like most of America?
> I can cut a new enterance in most houses in minutes, thanks 
> to my trusty sawzall.
>
> I know, lets live in brick hosues and hire armed guards to 
> not allow enterance and exit of those that someone deams 
> should not be allwowed in or out.
>
> Have fun living in a jail.
>
> Me, I'll live with my minor increases in security, as I 
> improve where I can, what I can.

I actually agree with you 100% on houses. However I was referring to
computers... ;-)

Here is the main reason the house argument doesn't work. I cannot postal
mail you a letter or a package that creates a hidden backdoor into your
house that only I have the key to. Sure maybe if I mailed you a bomb, I
could create a crude opening in your house, but it would hardly be
secret or hidden.

There are a few dozen Windows registry tweaks and settings that will do
most of the good that anti-virus does. There are choices one can make
before web surfing, such as IE for that internal "mission critical" app
that uses ActiveX, but the default browser is Firefox with all the J's
turned off for web surfing. Ingress and egress filtering on the local
firewall. Etc etc etc. Tons of things that can be done that severely
limit the attack surface of a Microsoft system.

And given the choice of A/V versus anomaly detection, I'd take the
latter plus the assorted tweaks.

Now as for my comment about no security is better than lame security,
let me clarify. Yes the point was somewhat exaggerated to drive the
point home. However what I meant was, there are things you can do from a
hardening perspective that are just as effective as A/V, and they are
free. Also, if the only threat is 0day, and you are not air-gapped, all
the IDS/IPS/AV signatures in the world will not help you. You have to
limit the attack surface as much as possible.

It boils down to this -- upper management has a limited budget, and I
think that if you have staff that are spending two weeks out of the year
getting signature-based (mainly AV) installed and functioning in some
deployment, the money is better spent on hardening. Is there a use for
IDS/IPS? Reactively, no as you mainly catch low-hanging fruit and the
noisy stuff you could swat with a flyswatter. Proactively, I think there
are some possibilities that have yet to be fully explored... *

I will stop bantering and work on a presentation that tries to explain
this. Maybe it will be at BlackHat or some other con where I face the
rotten fruit in person.

- -Mark

* Such as looking for \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1 in web traffic,
which is found in headers of Office docs. This assumes non-SSL and
non-compressed traffic, of course. Yes, my home Snort system has that
rule loaded and yes I still play with IDS just for this type of
research.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFHnjt8cWrXS8hLmpIRAj7vAJ48LRVfNRmKH7Fkj17AX/xlGvtuEwCfRIoQ
AXIVH33VCUHKOVeWYIei7Do=
=lSyF
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave