Security Basics mailing list archives
Re: Security vs. Simplicity
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Tue, 26 May 2009 20:48:24 -0430
On Martes 26 Mayo 2009 19:40:06 Craig S. Wright escribió:
but blackbox are vulnerable in time since: - When you modify their enviroment, you dont know what is the behavior ofsuch device/system...- Every software/library/something could have discovered vulns across thetime.- Every product have a lifetime, if you dont know the exact behavior, itcannot be replaced easily, and could lead to Denial Of Service.- etc.To an extent all software is a blackbox. The analysis of software is an NP infeasible problem. Turning and then Distraka demonstrated proofs that the state of a system can never be fully known. You are making presumptions as to the level of knowledge an open system holds and as to the level of testing.
Im not implying anything about open systems with my comments... You are taking extremes.... Everyone know that there is no 100% secure system. We can cover most of the vulnerabilities, and its our job.
Crystal box testing is a better option. I have published papers on this in the past. What you are missing is the complexity/simplicity issue. You are mixing these issues with security.
Again... the issue comes from not well documented systems... that are a source of vulnerabilities, by the exposed reasons. you said that documentation are a source of complexity, i think, that is a source of simplicity. (Only if is well documented) -------- Supose that you have a linux with mysql and you are an average admin. What is the simplest way to change passwords? 1. google Linux; uname -a; google Change Ubuntu Linux password; read and read and read, and do passwd; then, check for superusers, then, check the state of mysql, and google it for change mysql root password... probably you need to install something like phpmyadmin to manage mysql and check for another important users... And probably, the dependant systems will stop to work... Then, you have to check third party systems that work with this database password... or 2. Read a security documentation on section maintenance; search for change system passwords; and follow the instructions. What is more simple for maintenance?
You also never know the state of an open system. You just have a lower cost of testing and rectification. As for DoS. There is always a way to DoS a system. The issue here is how much evidence you create and why you do it. Hit any system with a sustained attack from 1,000,000 bots and it goes down. End of story. This is not an argument about complexity impacting security.
There is a difference between DoS created by flooding or by exploiting some vuln... You could reduce the impact of some DDoS attacks, not 100% effective. But, when the DoS comes by the software vulnerability, this is unacceptable in security matter... or not?.
Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Aarón Mizrachi [mailto:unmanarc () gmail com] Sent: Wednesday, 27 May 2009 9:32 AM To: craig.wright () information-defense com Cc: security-basics () securityfocus com; 'Stephen Mullins'; dan.crowley () gmail com Subject: Re: Security vs. Simplicity * PGP Signed by an unknown key On Martes 26 Mayo 2009 18:08:58 Craig S. Wright escribió:"The answer of this question is: There is a delicate balance." There is a point solution that makes a balance. Security is a dynamical (spelt correctly) system. Although point equilibria exist, they do not exist in time. Nodal minima do exist - sometimes for long periods of time, but these require tuning and updates. " blackboxes are prone to be vulnerable " Not necessarily. There are many B2 and higher (on the old rainbow table US classification scheme) systems that can operate as a black box. These can be fit for purpose designed systems. For instance, you can even create a secure software based system using vulnerability prone software. I created a proof of concept system that was a secure black box a numberofyears back. You have a CD boot into memory and a system that scans the memory processes that is separate to the first. Any changes result in a memory reload. It can be costly (the issue) to implement, but it is also very secure (as long as you do not need changes as it was not dynamic).- Your scanner could be vulnerable - If you need to change the hardware, your scanner could be vulnerable against unexpected new processor functions. - On a blackbox you never know what the program needs... - If you reload the memory, could lead to reseting and Denial Of Service...Many systems are blackboxes, this is not the sole cause of securityissues.In addition, open source also has just as many flaws.I disagree. Im not pointing that blackboxes are the sole cause of security issues. but blackbox are vulnerable in time since: - When you modify their enviroment, you dont know what is the behavior of such device/system... - Every software/library/something could have discovered vulns across the time. - Every product have a lifetime, if you dont know the exact behavior, it cannot be replaced easily, and could lead to Denial Of Service. - etc. -------------------- Protecting a blackbox require the knowledge of how the blackbox works and interact... then if you can protect a blackbox, this is not a blackbox. There are too many proofs that every blackbox have a danger itself.... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Aarón Mizrachi [mailto:unmanarc () gmail com] Sent: Wednesday, 27 May 2009 7:42 AM To: craig.wright () information-defense com Cc: security-basics () securityfocus com; 'Stephen Mullins'; dan.crowley () gmail com Subject: Re: Security vs. SimplicityOld Signed by an unknown keyOn Martes 26 Mayo 2009 16:16:01 Craig S. Wright escribió:Basically, there is a small correlation between the effects of securityandsimplicity. This is complexity for its own sake will not add and mayremovesecurity. Likewise, simplicity for its own sake will not add security. "With documentation and organization, you can cover the most of your threats." First documenting a system is an addition of complexity. It also matters how well it is done. Next there is the issue of compliance vs security. They are not the same thing. Documenting a system does not secure it.Agree, document does not secure it. The meaning of my point is... without documentation, the system are prone to be a blackbox, and blackboxes are prone to be vulnerable."If you install any device, you must consider the maintainance of this device, you must consider the end of life of this product, you must consider the probability that this product itself gets vulnerablewithoutyour knowledge." This is true, but it is not an argument against simplicity orcomplexity.For the most part, the functions of simplify and security are perpendicularly polar. This is, although there is a feedback effect one aligns with a proverbial X and the other a proverbial Y axis. The real issue also comes to a definitional framework. I speak of simplicity in a Chaos/Complexity theory framework. Simplicity adds to security in human system interactions. Complexsystems(in general) are more prone to catastrophic failure. That is they are more brittle. To understand this, you need to think how a brittle material fails. High carbon steel structures can be remarkable strong, but if they exceed their threshold only once, they shatter. Low carbon steel will bend at a lower threshold, but can be reformed. If the strength of a brittle material is sufficiently high, it does not matter that it can fail catastrophically, as the conditions will never be met. As in materials science, some of the most robust systems as hybrid composites. This is a combination of systems. This in itself is a formofcomplexity, but in the sense that simple and complex systems are enmeshed. The same applies to information systems. Brittle but strong systems can survive extremely well as long as they are sufficiently resilient tohaveacapacity to withstand any attack. Computer is simple analogy. "It is very simply designed. I dare you tofinda vulnerability in my computer." Easy Bios. I could keep on. Software help defend flaws in the design of systems. We have not even started on OP Code attacks against the processor. The proverbial "block" as a PC if as flawed as the computer itself. The flaw here is in software. Although we pose an NP Infeasibilityissue,software validation can be great use. It also poses a cost. A verified system (such as in the old rainbow A tables) can be extremely resilient. The cost of such a system is however extraordinarily high. All software is complex by nature. So the issue is not of pure simplicity. Even in the face of open source code, software is not evaluated. It requires a level of complexity to account for the failings in software. Malcode, bugs, vulnerabilities etc all account for themajorflaw in any system design. To account for this correctly requires the introduction of multiple systems. This reduces simplicity through introduced complexity, yet adds to systematic security. An example is given through an introduction of dual layers of firewall technologies with separate vendors such that neither ever suffers the same software flaw (and all firewalls have had compromises). Another example is the use of multiple anti-virus engines (such as a email gateway with one product and a separate engine on the email server and data store). To contrast this, this increase in security from multiple systems is impacted through the addition of additional human factors. More systemsandcomplexity make it more difficult for a single individual to run asecuritysystem (e.g. firewalls or AV) as they require knowledge in multiple platforms and thus spend less time on either platform. This can alsoleadto an introduction of more people. Two specialists can be used (1 for each vendor). This allows the individual to specialise in a particular area again, but also takes interaction with the other person (which was previously achieved by one individual). The requirement to act in concert adds stress points to the security solution making it more brittle. This can be tempered. Training and drilling staff leads to a team approach where the effect is in an individual team rather than a group mindset. This tempering adds to security. This may (and generally does if you exclude the cost of failure) increase costs (esp. As contingency costs are not attributed to project costs). Training in itself is a source of complexity in its development. The paradox is that this addition of complexity can create a simpler andmorerobust system.Agree. And.. this could be expressed as an equation, adding more entropy lead to have a failure. Adding more security system helps you to avoid some threats. Entropy could lead the failure probability to grow exponentially. The answer of this question is: There is a delicate balance. ------------------------Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd (http://www.information-defense.com) -----Original Message----- From: Aarón Mizrachi [mailto:unmanarc () gmail com] Sent: Wednesday, 27 May 2009 4:28 AM To: security-basics () securityfocus com;craig.wright () information-defense comCc: 'Stephen Mullins'; dan.crowley () gmail com Subject: Re: Security vs. SimplicityOld Signed by an unknown keyOn Lunes 25 Mayo 2009 16:44:43 Craig S. Wright escribió:Sites such as Facebook suffer not from complexity, but rather from the model used in their creation. These Web 2.0 Agile based code structures (commonly Ruby based frameworks) are most often derived from a Test After or "Tad too late" model. The Model, View Controller framework used in Ruby is a good framework, but it also simplifies the coding process such that less experienced coders are used - those without the necessary securitycodingskills. Your "simple" network is in fact far more complex than many largersystems.In your example, you have touted an Integrated Firewall. Far from simplifying the issue, a single host with all in one features is extremely complex. Far more so than 6 individual system (IPS/IDS/Firewall/AV/Logging/Router) based networks. The integration of functions on a single host increases the attack footprint and likelihood of error.I completly agree. There is a balance... There is a right way to secure. When i said, organization and documentation are simplicity, im trying to expose the real fact of this topic. Is like an equation, if you add some extra device to improve yoursecurity,you must measure and accept the possibility that this mechanism are itself vulnerable. Also, you must measure and accept the managment time consumption of this device, that are substracted to another important tasks. Tasks like: - Patching - User Managment - System check - Log check - And productivity With documentation and organization, you can cover the most of your threads. ---------------------------------- A couple years ago, one company, trying to be secure, bought a security hardening service that includes a SNORT IDS, vlan delimitation, firewall policies, antivirus, and computers security hardening. Looking over, you must say: its a fine thing. This company its really secure. But this company failed... the last year didnt passed the ethical pentest. Without documentation, no one were doing mantainance, the company consider IDS a working blackbox defending you.... And a time ago, snort gets vulnerable ( CVE-2006-5276 ), and the pentester gained access from remote. Well, im not saying: lets uninstall all the IDS's, no... Im trying to say that everything must be documented, must be planned... If you install any device, you must consider the maintainance of this device, you must consider the end of life of this product, you must consider the probability that this product itself gets vulnerable without your knowledge. Considering that, you will be able to secure a network. You can cover a lot of vulnerabilities planning with simple security strategies... But putting devices over devices, only make things worst.... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- RE: Security vs. Simplicity, (continued)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
- RE: Security vs. Simplicity Jason Hurst (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 25)
- RE: Security vs. Simplicity Craig S. Wright (May 26)
- Message not available
- Re: Security vs. Simplicity Daniel Miessler (May 28)
- Message not available
- Message not available
- Re: Security vs. Simplicity Aarón Mizrachi (May 28)