Dailydave mailing list archives
Re: Semi-anonymized moderation.
From: "Mark Loveless" <mloveless () autonomic-networks com>
Date: Mon, 28 Jan 2008 12:30:52 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, Jan 28, 2008 at 09:39:17AM -0500, Someone other than Dave Aitel wrote:Every time I hear the argument that some level of security,even lamesecurity, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than nosecurity,simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected,when in factthey are not. The ones with no protection are not living alie -- theyare at least AWARE they really have no security.Really? I know this has been said before. Horse, baseball bat, applying. Your house still has doors with locks, yet your windows are still trivial to break, bypassing the locks. Go ahead, remove the locks on the doors because obviously, you are better off without it. Oh, no windows? Got siding & drywall house, like most of America? I can cut a new enterance in most houses in minutes, thanks to my trusty sawzall. I know, lets live in brick hosues and hire armed guards to not allow enterance and exit of those that someone deams should not be allwowed in or out. Have fun living in a jail. Me, I'll live with my minor increases in security, as I improve where I can, what I can.
I actually agree with you 100% on houses. However I was referring to computers... ;-) Here is the main reason the house argument doesn't work. I cannot postal mail you a letter or a package that creates a hidden backdoor into your house that only I have the key to. Sure maybe if I mailed you a bomb, I could create a crude opening in your house, but it would hardly be secret or hidden. There are a few dozen Windows registry tweaks and settings that will do most of the good that anti-virus does. There are choices one can make before web surfing, such as IE for that internal "mission critical" app that uses ActiveX, but the default browser is Firefox with all the J's turned off for web surfing. Ingress and egress filtering on the local firewall. Etc etc etc. Tons of things that can be done that severely limit the attack surface of a Microsoft system. And given the choice of A/V versus anomaly detection, I'd take the latter plus the assorted tweaks. Now as for my comment about no security is better than lame security, let me clarify. Yes the point was somewhat exaggerated to drive the point home. However what I meant was, there are things you can do from a hardening perspective that are just as effective as A/V, and they are free. Also, if the only threat is 0day, and you are not air-gapped, all the IDS/IPS/AV signatures in the world will not help you. You have to limit the attack surface as much as possible. It boils down to this -- upper management has a limited budget, and I think that if you have staff that are spending two weeks out of the year getting signature-based (mainly AV) installed and functioning in some deployment, the money is better spent on hardening. Is there a use for IDS/IPS? Reactively, no as you mainly catch low-hanging fruit and the noisy stuff you could swat with a flyswatter. Proactively, I think there are some possibilities that have yet to be fully explored... * I will stop bantering and work on a presentation that tries to explain this. Maybe it will be at BlackHat or some other con where I face the rotten fruit in person. - -Mark * Such as looking for \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1 in web traffic, which is found in headers of Office docs. This assumes non-SSL and non-compressed traffic, of course. Yes, my home Snort system has that rule loaded and yes I still play with IDS just for this type of research. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHnjt8cWrXS8hLmpIRAj7vAJ48LRVfNRmKH7Fkj17AX/xlGvtuEwCfRIoQ AXIVH33VCUHKOVeWYIei7Do= =lSyF -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Semi-anonymized moderation. Dave Aitel (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Jon Oberheide (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Lance M. Havok (Jan 28)
- Re: Semi-anonymized moderation. Olef Anderson (Jan 28)
- Re: Semi-anonymized moderation. Stephen John Smoogen (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Sec urity (Jan 28)