Dailydave mailing list archives
Re: Semi-anonymized moderation.
From: "Sec urity" <security () brvenik com>
Date: Mon, 28 Jan 2008 17:14:57 -0500
There will always be the naysayers that believes that because you cannot achieve perfection you should not even try. inline.... On Jan 28, 2008 9:39 AM, Dave Aitel <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Post from Mark Loveless who is subscribed from a diff email and hit "reply all". My moderation gui drops anything from anyone not subscribed, so I'm "moderating" this manually. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Dave my man. I agree that security is an arm's race for signature based products. Though should we throw out the baby with the dirty water? Is no firewall, VLANs, route filtering, IDS, AV, central management/logging, etc better than a lame one? And besides perhaps some witty vendor will come up with a new solution. :)I'll bite. I'd say as a person who has worked on multiple security products, it is a losing battle. The network is simply hostile. Forget the firewalls with holes in them to allow users to send/receive email, web traffic, IM, plus "trusted" vendors, suppliers, contractors, overseas divisions, and an increasing mobile workforce -- there are simple rules of physics to contend with here, and as a result the network on both sides of the firewall is hostile.
Perfection is attained slowly and requires time. Historically it used to be that any kid with a brain and a minute could have their way with your computers. This is no longer the case and it is far less trivial to do so without being caught. The vast majority of threats have also failed to reach perfection; the imperfect ones are eliminated from the landscape well before they can achieve a level of enlightenment representing a true threat. Naysayers would let perfection be the enemy of good.
If every exploit set the evil bit, we'd just look for that one thing. However any signature-based system has to look at all possible attacks. Now for even ASIC-based systems, you run out of memory real quick. This is the physics thing I mentioned earlier. Most IDS/IPS vendors have a ceiling limit on about 1800-2000 signatures that can be active at once. NO vendor ships with all 5k-10k signatures turned on. The machine would drop packets and grind to a halt. Therefore what signatures do you pick? Only the ones that affect your user base? What about home users coming in via VPN (doubly bad, you may not support the platform AND the communication is encrypted)? Do you think anti-virus companies have it any better? What about anomaly-based host systems? Arguably better, however there are two factors that prevent massive deployment: 1) You now have to run low-level code on all your systems. Aside from the technical issues that this may cause, your CxO types may have gotten burned when the last time code was loaded on every system, it didn't prevent some massive infection. Additionally, the Gartners of the world are quick to point out that the upper right quadrant is filled with signature-based companies anyway, so any consultants/sales people wanting to make a sale have to explain away that upper quadrant in that goofy chart. Hybrid systems that use sigs for the low-hanging fruit and anomaly detection for the hard stuff might creep into the upper right quad (hopefully you know what I mean by Gartner's upper right quad, google it if you don't know). 2) It is cheaper to deploy technology at the "choke points" instead of everywhere, and A/V is about all you can expect to get on the desktop nowadays. Besides the auditors of the world will tell your organization that due diligence is having that A/V there, on the Exchange server, and the fact you have a firewall pretty much has you covered from an audit standpoint.
Is it better to raise the bar so that threat you likely face is unlikely to do something that gets them caught and as a result never causes you significant pain? What is spenging a few million, slightly trimming a 500 Billion balance sheet, compared to simply letting the thief take 5 Billion from the safe? It is all about $ isn't it?
My solution would be to lock down the desktops and servers via hardening, run email and web browsers in sandboxes, and replace the firewalls with router ACLs that simply take large swipes at the traffic to help create a division from the outside world. Firewalls are simply glorified routers at this point anyway, as most are configured to allow certain types of traffic right in through the front door.
Lets not confuse poor implementation with capability. If you think that an approach like this will be effective I say get to it! You will find that the problem is not that simply solved and you just and up shifting the point of entry. Changing any element without considering the motivatiing and demotivating factors is nothing more than choosing to do nothing in a very complicated way and will be equally as ineffective.
I used to quote Frank Zappa's comments on modern jazz as "jazz isn't death, it just smells funny" in presentations, saying the same thing about perimeter security. Around 2002 or so I simply started saying perimeter security is just dead. I had a very serious discussion about this very topic with Bill Cheswick around the same time, with both of us threatening to write a paper or article on the topic. Every time I hear the argument that some level of security, even lame security, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than no security, simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected, when in fact they are not. The ones with no protection are not living a lie -- they are at least AWARE they really have no security.
In the US we often kill the killers and knowing this they STILL seem to kill! Some even get away with it! Should we simply accept that there are a few people that can kill with such skill that they will go uncaught? Should we not even try to catch killers because they _might_ be that one? Should we not try to catch criminals because they might also be that _one_ killer? Simply because there is a superior threat lurking out there does not mean we should not remove the known threats or that we should invite them into our house. IT Security is not a place where we must have perfection in order to have better security, we can easily remove the majority of the criminals from the IT gene pool by taking some simple steps. We should not invite all threats into our house because there are a few skilled ones. We should treat them as the threats they are and force them into a situation where they are forced to find a new path, and get caught in the process. Raising the bar and the cost to model and attack effectively balances the equation for the majority of the world. The solution is not perfect and it still cannot prevent you from losing 7 Billion, it did save you countless billions from preventing other issues. It is trivial to state that anything modeled and systematically attacked will be defeated. It is an entirely different case to actually do it. This discussion seems to happen quarterly. I think it is because Dave fancies himself an infallible threat, gloats about it, and people grant him that license because he and his team are good. It does not make him or any other infallible, they will screw up and get caught, they are not perfect. I doubt seriously that Dave or any other team enters all engagements where they are faced with an equally skilled defender and gets away uncaught. If they were actually in the position of being a criminal they would already be in jail.
Mark - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi yEHFuPRkLlrQEI90G/h3RQg= =DhdV - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME 48wF+iNSfnb0rOEBiF/eSpk= =d2Lw -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Semi-anonymized moderation. Dave Aitel (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Jon Oberheide (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Lance M. Havok (Jan 28)
- Re: Semi-anonymized moderation. Olef Anderson (Jan 28)
- Re: Semi-anonymized moderation. Stephen John Smoogen (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Sec urity (Jan 28)