Re: Risk measurements

["Thor (Hammer of God)" <Thor () hammerofgod com>]

> Well, yeah. I suppose it's *possible* that your system's weak password
> system will allow a hacker to get in, and from your system hack into
> the LHC and control it to spawn a black hole that eats the Earth.  And
> even that is still a finite, not "infinitum".

I'll site the 2009 Verizon Business Data Breach Report:

74% of breaches were external; 67% had some aspect of user error on the victims part as the primary reason for breach - 
things like default passwords and SQL injection (so very sad).  Of those 98% contained SOME level the aforementioned.  
83% were not difficult, and 87% could have been prevented by *simple intermediate controls*.

Those are "real world" figures, and they speak to the real problem - the configuration and deployment of the systems in 
the real world as they stand, and NOT 0days, or l337 hacks.  
 
> It's also pretty fucking unlikely.  Most of the time, the analysis
> sticks to reasonably predictable outcomes - the cost of a critical
> server being down for X number of days, the cost of
> penalties/fines/lawsuits if there's an exposure, the cost of bad PR,
> etc.  At some point, you have to forget about the movie-plot scenarios
> and restrict yourself to the shit that actually happens in real life.
> If a given result hasn't been reported in the trade press in the last 5
> years, you can probably not worry about it.

I totally agree with the "real life" aspect of this.  Understand that I'm NOT against risk modeling - the whole thing 
is a model up until the point that something happens.  I assert that you can't take a generic solution and plug it into 
some formula to get a "risk number" on the other side - well, specifically, you can DO that, but the number won't 
matter insofar as any system in particular is concerned.  More on that in a sec. 

> Why do people understand how buying insurance works, but have trouble
> understanding that security is the same sort of trade-offs?  In both
> cases, it's the same sort of risk modeling and analysis.

Because insurance applies to them PERSONALLY.  Insurance protects me.  I understand that.  I also understand that 
insurance companies make money because they get paid a lot to protect other people that never need a payout.  But I 
don't care about that, nor do I need to understand exactly HOW the insurance company makes money - I care about it when 
it happens to ME, and know that I am personally protected by it.

I think a better analogy here is not the insurance industry, but rather, Vegas.  Before I go there, I'll stipulate 
again that one cannot use a formula to determine any real value of a *particular* system being compromised - not one 
that can be applied to any other system, that is.  In other words, the same formula cannot be used against two 
different systems and have valuable results in both cases.  Now, that does not mean that you can't look at all systems 
together and maybe determine some overall level of exploitation (as is just NOW being suggested by others in the new 
title of this thread).  I KNOW you can do that, but it doesn't "solve" anything.  Vegas knows that they will win some, 
and that they will lose some.  They also know that statistically, they will win more than not.  Over time, this adds up 
as hard cash.  However, the model won't determine the outcome of any particular game or hand, nor more importantly, the 
affect the loses have upon the losers. Nor does a On
 e Size Fits All risk model of compromise.  I have no doubt that after Dr. Wright ciphers up this model, that it will 
be purchased by someone.  If he does it "right" then there won't be any provable outcome one way or the other and the 
sale can be defended.  It's a great marketing idea, and people with big bucks will buy it.  But it won't solve anything 
at all in the "real world."  Alien abduction insurance SELLS.  It really does.  But that doesn't mean it has any value. 
 

The thing is, large companies already know this.  And they don't care other than how it affects the bottom line.  
Having a probability model to tell them something they already know won't matter.  Systems will be breached, people 
will be fired, and others hired to replace them, and lots of "busy" work will be done.  So I guess it all depends on 
what the GOAL of such a system is.  To me, I want to keep my job.  I'll do that by having systems and procedures in 
place that prove I can maintain a system without it getting breached.  I want YOU to have a job, so that you can buy 
the beer when we sit down together at a conference and shoot the shit.  Pretty models don't let us keep our job.  They 
are great to look at and fun to burn hours on, particularly when we're getting paid, but there is no real payoff other 
than the process of doing it.  When I was a kid, I built a model of an F-4 Phantom.  It was gorgeous. The paint job was 
beautiful, the gear worked, the cockpit opened, and 
 the pilot even came out to inspect the plane before my cat ate him.  Anyone who knew anything about fighter aircraft 
could look at it and immediately know it was a F-4 Phantom, and a damn beautiful one at that.  People would have paid 
money for it, I bet.  Did it fly?  Nope.

t















_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/