[Dailydave] Semi-anonymized moderation.

Sec urity security at brvenik.com
Mon Jan 28 17:14:57 EST 2008 

There will always be the naysayers that believes that because you
cannot achieve perfection you should not even try.

inline....

On Jan 28, 2008 9:39 AM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Post from Mark Loveless who is subscribed from a diff email and hit
> "reply all". My moderation gui drops anything from anyone not
> subscribed, so I'm "moderating" this manually.
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >> Dave my man.  I agree that security is an arm's race for
> >> signature based products.  Though should we throw out the baby
> >> with the dirty water?  Is no firewall, VLANs, route filtering,
> >> IDS, AV, central management/logging, etc better than a lame one?
> >> And besides perhaps some witty vendor will come up with a new
> >> solution.   :)
>
> I'll bite. I'd say as a person who has worked on multiple security
> products, it is a losing battle. The network is simply hostile. Forget
> the firewalls with holes in them to allow users to send/receive email,
> web traffic, IM, plus "trusted" vendors, suppliers, contractors,
> overseas divisions, and an increasing mobile workforce -- there are
> simple rules of physics to contend with here, and as a result the
> network on both sides of the firewall is hostile.

Perfection is attained slowly and requires time. Historically it used
to be that any kid with a brain and a minute could have their way with
your computers. This is no longer the case and it is far less trivial
to do so without being caught. The vast majority of threats have also
failed to reach perfection; the imperfect ones are eliminated from the
landscape well before they can achieve a level of enlightenment
representing a true threat. Naysayers would let perfection be the
enemy of good.

>
> If every exploit set the evil bit, we'd just look for that one thing.
> However any signature-based system has to look at all possible attacks.
> Now for even ASIC-based systems, you run out of memory real quick. This
> is the physics thing I mentioned earlier. Most IDS/IPS vendors have a
> ceiling limit on about 1800-2000 signatures that can be active at once.
> NO vendor ships with all 5k-10k signatures turned on. The machine would
> drop packets and grind to a halt. Therefore what signatures do you pick?
> Only the ones that affect your user base? What about home users coming
> in via VPN (doubly bad, you may not support the platform AND the
> communication is encrypted)? Do you think anti-virus companies have it
> any better?
>
> What about anomaly-based host systems? Arguably better, however there
> are two factors that prevent massive deployment:
>
> 1) You now have to run low-level code on all your systems. Aside from
> the technical issues that this may cause, your CxO types may have gotten
> burned when the last time code was loaded on every system, it didn't
> prevent some massive infection. Additionally, the Gartners of the world
> are quick to point out that the upper right quadrant is filled with
> signature-based companies anyway, so any consultants/sales people
> wanting to make a sale have to explain away that upper quadrant in that
> goofy chart. Hybrid systems that use sigs for the low-hanging fruit and
> anomaly detection for the hard stuff might creep into the upper right
> quad (hopefully you know what I mean by Gartner's upper right quad,
> google it if you don't know).
>
> 2) It is cheaper to deploy technology at the "choke points" instead of
> everywhere, and A/V is about all you can expect to get on the desktop
> nowadays. Besides the auditors of the world will tell your organization
> that due diligence is having that A/V there, on the Exchange server, and
> the fact you have a firewall pretty much has you covered from an audit
> standpoint.

Is it better to raise the bar so that threat you likely face is
unlikely to do something that gets them caught and as a result never
causes you significant pain?

What is spenging a few million, slightly trimming a 500 Billion
balance sheet, compared to simply letting the thief take 5 Billion
from the safe?

It is all about $ isn't it?

>
> My solution would be to lock down the desktops and servers via
> hardening, run email and web browsers in sandboxes, and replace the
> firewalls with router ACLs that simply take large swipes at the traffic
> to help create a division from the outside world. Firewalls are simply
> glorified routers at this point anyway, as most are configured to allow
> certain types of traffic right in through the front door.

Lets not confuse poor implementation with capability. If you think
that an approach like this will be effective I say get to it! You will
find that the problem is not that simply solved and you just and up
shifting the point of entry. Changing any element without considering
the motivatiing and demotivating factors is nothing more than choosing
to do nothing in a very complicated way and will be equally as
ineffective.

>
> I used to quote Frank Zappa's comments on modern jazz as "jazz isn't
> death, it just smells funny" in presentations, saying the same thing
> about perimeter security. Around 2002 or so I simply started saying
> perimeter security is just dead. I had a very serious discussion about
> this very topic with Bill Cheswick around the same time, with both of us
> threatening to write a paper or article on the topic.
>
> Every time I hear the argument that some level of security, even lame
> security, is better than NO security, I think about my Zappa
> paraphrasing. In my opinion, lame security is WORSE than no security,
> simply because most of the people involved (think CxO/pointy-haired boss
> types) live with a sense that they are being protected, when in fact
> they are not. The ones with no protection are not living a lie -- they
> are at least AWARE they really have no security.

In the US we often kill the killers and knowing this they STILL seem
to kill! Some even get away with it! Should we simply accept that
there are a few people that can kill with such skill that they will go
uncaught? Should we not even try to catch killers because they _might_
be that one? Should we not try to catch criminals because they might
also be that _one_ killer? Simply because there is a superior threat
lurking out there does not mean we should not remove the known threats
or that we should invite them into our house.

IT Security is not a place where we must have perfection in order to
have better security, we can easily remove the majority of the
criminals from the IT gene pool by taking some simple steps. We should
not invite all threats into our house because there are a few skilled
ones. We should treat them as the threats they are and force them into
a situation where they are forced to find a new path, and get caught
in the process.

Raising the bar and the cost to model and attack effectively balances
the equation for the majority of the world. The solution is not
perfect and it still cannot prevent you from losing 7 Billion, it did
save you countless billions from preventing other issues. It is
trivial to state that anything modeled and systematically attacked
will be defeated. It is an entirely different case to actually do it.

This discussion seems to happen quarterly. I think it is because Dave
fancies himself an infallible threat, gloats about it, and people
grant him that license because he and his team are good. It does not
make him or any other infallible, they will screw up and get caught,
they are not perfect. I doubt seriously that Dave or any other team
enters all engagements where they are faced with an equally skilled
defender and gets away uncaught. If they were actually in the position
of being a criminal they would already be in jail.

>
> Mark
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
>
> iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi
> yEHFuPRkLlrQEI90G/h3RQg=
> =DhdV
> - -----END PGP SIGNATURE-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME
> 48wF+iNSfnb0rOEBiF/eSpk=
> =d2Lw
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list