Slashdot Mirror
Security: The Window of Exposure
Bruce Schneier has written an interesting analysis of dealing with security on the Internet as a business issue -and what that means in how we deal with it, in a company setting. It's a well written piece, and quite useful for those of us out there in the corporate world.
It's interesting to read some of the things Schneier wrote some years ago and what he's writing now. In Applied Cryptography, he seemed to argue that widespread and careful adoption of good crypto would lead to better security.
Now the point seems to be that system security is simply too complicated--too many issues, too many variables. And that system is secure.
Despite this sentiment, however, OpenBSD seems to be doing quite well....
And just a reminder--Less than a week before the RSA patent expires.
--
Lagos
Okay, so you can't be 100% safe. I guess most of us already knew that.
So, it becomes more important to know when you have been cracked (you will anyway, eventually) than to prevent it.
It looks like the future for products like Tripwire (detects system file changes and the like), Portsentry (portscan detection)and other 'security break awareness' products is bright.
Then, if you really want to be aware, directly send the important syslog-messages (like, people becoming root, portscanning detected etc.) to an old unused matrix-printer. Works great, since it is possible to erase your log-files (once you're root), but it's *real* hard to mess up logs that are on paper (without physical access to the site, that is)!
Every expression is true, for a given value of 'true'
Schneier's conclusion is absolutely correct. The only safe system is powered down and disconneced, but then it is useless. Security is the process of managing the tradeoffs between risk and use.
Personally, I believe that any business which doesn't implement security deserves everything it gets.
I worked for a company for almost a year which was in the business of website hosting/design. As I was fairly close to the servers, I knew that we were getting regularly port-scanned, our NetBios was wide open and had had a number of attempts to break in [obviously script-kiddies, since it wouldn't have been particularly hard, yet to my knowledge they never got anywhere!]
The boss was fully aware of these problems - and yet consistently refused to accept that at a very minimum we needed a firewall - even when we finally got it into his head that this was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.
This is the sort of attitude that seems to be prevalent in industry - the people in charge just do not seem to understand that basic security is a must. Had anyone penetrated the system, they could easily have put this company out of business - and I'm sure this is also the case for many others!
Unless businesses wake up, they will find themselves digging their own graves - and all for want of devoting a little time to something which, with all the media hype, is staring them in the face.
-Tom
Bruce Schneier seems like a pretty conscientious guy in print. But this article just reads like a detailed ad four counterpane's services.
In connection with his new book (which I haven't read yet, because I'm still trying to find a good consultant to find me a morally upstanding bookseller), I wonder how much of his attitude is a necessary contingency of running a security business, or if that's why he started counterpane in the first place. I don't find fault with his presentation of facts, more with the sense of hopelessness he has conveyed in recent writing (I'm going mostly by articles, excerpts, and his crypto-gram newsletter).
This article is pure fluff. There's no detail of how his new Managed security Monitoring works, how it "closes the window" when all others simply "narrow" it, he's just trying to sell his product. I thought most competent sysadmins monitored their security? His house insurance metaphor is invalid. It's one thing to insure against the risk of burglary, knowing that you can use the insurance money to buy equivalent items. But data is different - there is no equivalent to your own data. A cracker can steal your data and do you damage without your knowledge - since the data is still there. A cracker can distort your data so that your future work will be based on incorrect information. A cracker can use your network as a base for other attacks. For the two situations to be analogous, burglars would have to be in the habit of breaking in and reprogramming your microwave to poison you, or invisibly setting up a base in your attic to launch burglaries on your neighbours. The integrity of data is so much more fragile than that of real-world goods that you simply can't treat it in the same (relatively casual) manner as you can house insurance. Whatever the answer is, this salesman doesn't have it and his sales puff shouldn't have received this free publicity.
Hmmm, and where can I get this wonderful managed security? Why look, Bruce himself sells it! What a happy surprise ...
"Those who would give up essential liberty for temporary safety deserve neither liberty nor safety" - Benjamin Franklin,
i like Cryptogram pretty much, but this last Schneier piece seems like a 'mea culpa' about the failure of his 'math utopia'. i'm still in the full disclosure side. full disclosure (plus the security 'process', apud Schneier) is the less wrost solution. like democracy, you know?
And, I'm not sure that quoting Lloyd's of London is necessarily the best thing. Lloyd's has had some significant hits from bad insurance policies recently.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
It's not like people don't *know* that there isn't any such thing as an inhackable system, because there isn't. It's like trying to make something idiot-proof. The problem is that somebody out there is going to approach it differently than the person that designed it. Essentially, that's what people that design security systems do. They start with something, start trying to think of all of the holes they can. But people aren't omniscient and they'll miss things. That's also why I lot of security organizations and government institutions look to the prisons for "reformed" hackers to look over their code and try to break it. But even there, there's always going to be a way through. They can say that a system is more solid because they alarm the systems, but it didn't say anything about how they do it. I mean, what's it supposed to be doing that any different from any other system when a user enters the system? It seems like this was more of a teaser than a truly informative review.
The Internet, one place where if you're not right, someone else will set you straight... maybe.
Changing the terminology used is vitally important, and articles like these help change the terminology. The use of words like "secure system" mislead the public into thinking that such things exist. Changing the terminology to terms like "takes longer to crack" generates the right thought processes. Systems will be broken. It is merely a matter of how long and how hard people try. This leads to the next important part of the thought process. How to detect breakins, how to reduce loss during breakins, etc.
Talking and thinking in these terms has importance far beyond securing your own system. It affects how users think about their participation and actions. It affects how law enforcement thinks about their reactions. It affects how legislators think. Right now they act like there is some sort of magic fairy dust that you sprinkle on your technology and poof --- an impenetrable secure system. The result is devastating losses when (often inadequate) security processes fail.
Actually, this month's episode, which came in the mail this morning, talks about the same windows of exposure.
I can hartly recommend this newsletter to everyone!
Ivo
<grub> Reading
Sounds nice if you stay within the range of companies this article is focused on. But it sure will not do for every organisation out there. Allthough he stated this himself (For example, it makes no sense to purchase a $10,000 safe to secure $1000 diamond...) I'm surprised to see this in his final conclusion. For a small business the costs to maintain a M.S.M. system is far more expensive and has much more overhead then a solution based on prevention. Lets take this into 'normal proportions' and try some real life examples...
M.S.M. would take a system to track the entire stuff, a network operator (or more offcourse) to monitor the readings and take action once something is happening. Perhaps he can do this besides his normal work but that would reduce the whole effectiveness I guess. Is this effective? Sure, but don't look at the costs of this solution. To put it blunt; if I wanted something like this I'd go broke very soon.
When I compare this to setting up a masquing proxy & firewall with some "low-end" solution like ipchains (prevention), making regular backups (even more prevention) and finally having some very good insurances it becomes quite clear which is the best solution for SOHO's and up. When an attack is made it sure took 'm some time to breach my firewall. If that happens and I loose data I got backups and when they fail (unlikely) I'm still way off from going broke since my immediate costs to reduce the damage are covered as well.
Therefor I think that globally concluding that M.S.M. is the most cost-effective way, by standard, is not true.
My take on this article. Yes, security is a process, not a product. This process is handled by a system adminstrator that knows what they are doing. there are solutions, I believe in Virtual Private Networks, Encryption (what good is stolen company data if it takes 60 days to crack it?), self-destructive files, it is all a matter of proper adminstration. Most businesses will buy the insurance, and forget the security process - "thats what we got insurance for!" will be the new buzzword. both businesses and users should be responsible for their security. C0VERTl www.covertlinks.cjb.net
"How you live will determine how you will die" www.covertlinks.cjb.net C0VERTl
I believe that secure systems *ARE* possible. And when I say secure systems I mean ABSOLUTELY secure systems. A computer is a finite machine. There are only so many possible states my PC can ever be in. There are even less possibilities for my palmpilot. Granted it boggles the mind to contemplate EVERY possible state of a modern PC -- but the set *IS* finite. I repeat: IS FINITE.
Whether or not it is financially possible to create a 100% secure machine should not be cause to abandon the idea and leap towards compromise. A beautiful example, is of course, OpenBSD -- the pursuit of an absolutely secure system *DOES* result in a more secure system. I'd take OpenBSD out of the box over any commercial UNIX with all the vendors' "window-limiting" products any day!
If your goal is a secure system -- then it is possible (even if unlikely) to create a secure system! If you goal is something else (profit, chrome, popularity, enlightenment, whatever..) then it probably isn't. SO, if YOU are trying to create a secure system don't let someone with another goal get in your way! (accounting firms, authors, vendors, users, managers, whom/whatever)
There is nothing abstract about system security -- and intentionally abstracting it to liability management or limiting window time is a lie -- even though it may be a white one.
Come on! Bruce Schneider is a Good Guy, but this is not analysis -- this is a marketing blurb.
The idea of moving from blocking threats to risk management is an old one and quite recently there was an article on Slashdot about Bruce coming to this conclusion. Not to mention that he published a whole book where he talks in detail about it.
I like Counterpane, but is it really necessary to put every press release of theirs on Slashdot?
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I worked my way through College as a "Security Consultant." No, this wasn't a computer job, I drove a Locksmith truck.
Security in the real world is seldom measured in absolute terms. Locks, Cryptography, anything a person can put together, by DEFINITION can be taken apart by another person.
We used to say, "Don't put a $100 lock on a $20 door." Most security was not broken by breaking our locks, but by bypassing them. A strong lock on a strong door, next to a window. A back door with flimsy panels. And, when the price was good enough, an axe to completely destroy the door of a liquor warehouse.
Most people had nothing this valuable to steal.
Security only makes things HARDER to circumvent. For "little" secrets, a "little bit" of security is enough. For bigger ones, more security.
Look at history once in a while. Some of the greatest "Security Devices" in the world were the great pyramids in Egypt... hacked.
Security through obscurity? The only tombs from ancient Egypt that were never ransacked were the ones that were never found. Obscurity can be your friend.
Remember that the strongest ciphers and the best locks in the workd buy ONLY one thing. Time and difficulty from the people that you are protecting against. Its reasonable to use weak cryptography for things that are weak secrets. My credit card information is simply not worth several mips years of cracking. It would be good for ONE moderate purchase, then cancelled.
Strong locks, strong crypto, are both expensive. It is important to fit the worth of the secret to the strength of the lock, then manage when (not if) some breach occurs.
wobbly@angel[nospam]fire.com
---------///----------
All generalizations are false.
--
I like to watch.
Unfortunately, I've never heard of a business actually using this policy. All of them, including banks, brokerages, and the rest, are so greedy that they continue operations even with major vulnerabilites. Worse, they do not tell their customers that the vulnerabilities exist. In fact, they typically have shiny marketingware which extolls the security of their systems. Hackers and crackers are the only people aware of the vulnerabilities in the meantime.
In a system that I am building at work, I am including a "scram" function which provides central control for shutting down all network operations. Hopefully the scram combined with they type of intrusion detection system that Bruce outlines, will help me uphold my responsibility to my cusotmers.
To save a long anecdotal rant, the team, particularly the head of the team, were completly incompetant. Things didn't work, projects ran over budget, and serious holes (open relays) were left in place. Some projects would take weeks to complete, and he would not let them know their own firewall passwords.
The silliest aspect was that he believed that by adding a second NIC to a server, 2 processes could then listen on the same port on that machine, one on each NIC.
He also installed our firewall (previously we relied on a router with really severe port filtering rules in place). FTP from a browser was broken for 6 months, despite promises to fix it, until someone on my team got hold of the firewall password and fixed it himself.
They moved to exploiting another market, leaving a handful of broken installations with no effective support. They now sell web servers, and believe that the best web server product is Lotus Notes! Says it all, really! And they IPOd earlier this year. Not on f*ckedcompany.com yet.
The moral - even so-called security experts can be utterly hopeless.
This article was very interesting since it is one of the very few that argue for reactive management. All the biz buzzwords these days are for proactive management, ie, prevention.
One this I didn't see in the article is a rational discussion of costs. There are the obvious costs of security (administration) and insecurity (theft and fraud). But there are also much less obvious costs from lost business. These can be several times greater.
Lost business costs can come from both excessive (preventative) security, and from insufficient security. Excessive security is a hassle, and deters customers. Perceived low security might also deter customers if they fear they will lose something valuable (credit card numbers? data).
I think in any business security discussion, ALL these costs must be considered, not just the easy, hard $.
Isn't this the guy who had no hope to offer us?
668: Neighbour of the Beast
Just unplug the box from everything, including the power. Short of physical intrusion, the box is now secure. Anyone who'd done any software validation knows that validating a program is bug-free is hard and not guaranteed. Security is akin to a bug. Geez.
I talked with Counterpane about 6 months ago about monitoring service for the company I worked for then. While I will admit that I wasn't very interested at first (we talked with them because the brother of one of our sales reps worked for Counterpane) I was intrigued with the idea of out-sourcing some of the security burden. As anyone who has had the pleasure (pain?) of managing an Internet start up company's network will tell you there is never enough time to do most things 'right', least of all securing the network against intrusion and attack. So the idea of external monitoring was interesting, at least until we actually sat down with the sales reps from Counterpane and asked about pricing...
As I recall, and please remember that it has been awhile so my numbers may no longer apply, Counterpane's minimum service offering was $25,000 monthly for one detector box and 24/7 monitoring. I wanted to laugh when I heard that figure. And they were never able to satisfy my requirements for dealing with DoS attacks (the monitoring boxes did not have any type of fail-over access though they did promise "It's comming in just a few months...").
Until the prices come down I can't see their service being useful for any but the largest and most heavily trafficed Internet e-commerce sites. And even then only as a backup to in-house monitoring efforts.