Re: Security myths costing firms

[InfoSec News <isn () c4i org>]

Forwarded from: rferrell () texas net

> A better approach was to employ "synergistic security", which hinged
> on the concept of redundancy in security controls, Dr Tippett said.

An even better and more effective approach is to stop relying solely
on patches, IDS, firewalls, and other software to protect your
networks.  Human beings with training and experience must be sitting
there watching these tools work, and reading the logs they produce.  

Relying on software (and hardware, for that matter) to keep your
enterprise safe is like slapping a motion detector on your front gate
and calling it secure.  If there's no living person watching your
portal, someone circumventing its security is not only possible, it's
more or less inevitable.

> Better technologies only accounted for a tenfold improvement in
> safety; better education and better practices had multiplied this a
> hundredfold.

Better education and practices of systems administrators and users, to
be precise.

> At a bare minimum, companies should have either two primary controls
> (with greater than 90 per cent effectiveness), or a primary and at
> least three synergistic controls for each category of risks.
> "Failure of any one control in a scenario like this would still
> leave better than 99 per cent effectiveness," Dr Tippett said.

Yeah, great, but don't forget the human element.  The infosec industry
needs to emphasize that people, not computers, are the best defense.  
Without trained professionals analyzing the data collected by an IDS,
for example, it's just not very useful.

Until infosec heuristics begin to approach human levels of
sophistication, the best hardware on the planet is just a fancy
screwdriver.
 
> 'Encryption over the internet is important.' 
>
> But Dr Tippett said the increasing speed and complexity of networks
> meant it was almost impossible to inspect traffic for a single
> message.

Way too general.  Encryption of what?  If you're in a high risk
business or just paranoid about your personal privacy, encryption is
quite important.  This statement only seems to cover email encryption.

The major uses of encryption on the public Internet are SSL, SSH, and
VPNs, however, which encrypt all traffic. If you want to send your
SSN, credit card numbers, and proprietary data in plaintext, be my
guest. This sort of cavalier attitude is what makes online identity
theft so easy.
 
> 'More obscure end-user passwords are advisable.'
>
> There was no measurable benefit, he said.

Sorry, my BS detection meter just went off.  I hope this statement is
simply taken out of context.  A quick look at the number of
intrusions, expecially of Microsoft-based systems, which began with a
cracker brute- forcing a user password will quickly dispel any notion
that password construction has no 'measurable benefit' on security.  

There are a lot of password-cracking programs out there, and the
reason people have devoted so much effort to their creation is that
cracking passwords is one of the easiest and surest ways into a
system. Once you're in, privilege elevation attacks are usually fairly
straightforward.
 
> Dr Tippett said daily updates were only 1 or 2 per cent better than
> weekly updates.

I agree with this.  If antivirus companies would stop relying on
pattern-matching and start incorporating more heuristics-based
detection, however, the need for regular updates would disappear.

> Vulnerabilities have to be quantified in terms of the probability of
> a threat succeeding. In many cases, a threat would not be worth
> worrying about.

True.  But who's going to look at every vulnerability that is
announced and evaluate it in terms of its probability of exploitation
on a given system? That requires a trained and dedicated analyst.  A
human being.  See above.

> Just get firewalls up to 90 per cent effectiveness and ensure
> default router rules are not overridden, Dr Tippett advises.

Well, at least change default passwords and community strings.
 
> "It's about concentrating on essential practices, rather than best
> practice," Dr Tippett said.

And the essence of information security is the human element driving it.

RGF

Robert G. Ferrell
rferrell () texas net



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.