Slashdot Mirror
Security: The Window of Exposure
Bruce Schneier has written an interesting analysis of dealing with security on the Internet as a business issue -and what that means in how we deal with it, in a company setting. It's a well written piece, and quite useful for those of us out there in the corporate world.
It's interesting to read some of the things Schneier wrote some years ago and what he's writing now. In Applied Cryptography, he seemed to argue that widespread and careful adoption of good crypto would lead to better security.
Now the point seems to be that system security is simply too complicated--too many issues, too many variables. And that system is secure.
Despite this sentiment, however, OpenBSD seems to be doing quite well....
And just a reminder--Less than a week before the RSA patent expires.
--
Lagos
Okay, so you can't be 100% safe. I guess most of us already knew that.
So, it becomes more important to know when you have been cracked (you will anyway, eventually) than to prevent it.
It looks like the future for products like Tripwire (detects system file changes and the like), Portsentry (portscan detection)and other 'security break awareness' products is bright.
Then, if you really want to be aware, directly send the important syslog-messages (like, people becoming root, portscanning detected etc.) to an old unused matrix-printer. Works great, since it is possible to erase your log-files (once you're root), but it's *real* hard to mess up logs that are on paper (without physical access to the site, that is)!
Every expression is true, for a given value of 'true'
Schneier's conclusion is absolutely correct. The only safe system is powered down and disconneced, but then it is useless. Security is the process of managing the tradeoffs between risk and use.
Personally, I believe that any business which doesn't implement security deserves everything it gets.
I worked for a company for almost a year which was in the business of website hosting/design. As I was fairly close to the servers, I knew that we were getting regularly port-scanned, our NetBios was wide open and had had a number of attempts to break in [obviously script-kiddies, since it wouldn't have been particularly hard, yet to my knowledge they never got anywhere!]
The boss was fully aware of these problems - and yet consistently refused to accept that at a very minimum we needed a firewall - even when we finally got it into his head that this was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.
This is the sort of attitude that seems to be prevalent in industry - the people in charge just do not seem to understand that basic security is a must. Had anyone penetrated the system, they could easily have put this company out of business - and I'm sure this is also the case for many others!
Unless businesses wake up, they will find themselves digging their own graves - and all for want of devoting a little time to something which, with all the media hype, is staring them in the face.
-Tom
Bruce Schneier seems like a pretty conscientious guy in print. But this article just reads like a detailed ad four counterpane's services.
In connection with his new book (which I haven't read yet, because I'm still trying to find a good consultant to find me a morally upstanding bookseller), I wonder how much of his attitude is a necessary contingency of running a security business, or if that's why he started counterpane in the first place. I don't find fault with his presentation of facts, more with the sense of hopelessness he has conveyed in recent writing (I'm going mostly by articles, excerpts, and his crypto-gram newsletter).
This article is pure fluff. There's no detail of how his new Managed security Monitoring works, how it "closes the window" when all others simply "narrow" it, he's just trying to sell his product. I thought most competent sysadmins monitored their security? His house insurance metaphor is invalid. It's one thing to insure against the risk of burglary, knowing that you can use the insurance money to buy equivalent items. But data is different - there is no equivalent to your own data. A cracker can steal your data and do you damage without your knowledge - since the data is still there. A cracker can distort your data so that your future work will be based on incorrect information. A cracker can use your network as a base for other attacks. For the two situations to be analogous, burglars would have to be in the habit of breaking in and reprogramming your microwave to poison you, or invisibly setting up a base in your attic to launch burglaries on your neighbours. The integrity of data is so much more fragile than that of real-world goods that you simply can't treat it in the same (relatively casual) manner as you can house insurance. Whatever the answer is, this salesman doesn't have it and his sales puff shouldn't have received this free publicity.
Hmmm, and where can I get this wonderful managed security? Why look, Bruce himself sells it! What a happy surprise ...
"Those who would give up essential liberty for temporary safety deserve neither liberty nor safety" - Benjamin Franklin,
Changing the terminology used is vitally important, and articles like these help change the terminology. The use of words like "secure system" mislead the public into thinking that such things exist. Changing the terminology to terms like "takes longer to crack" generates the right thought processes. Systems will be broken. It is merely a matter of how long and how hard people try. This leads to the next important part of the thought process. How to detect breakins, how to reduce loss during breakins, etc.
Talking and thinking in these terms has importance far beyond securing your own system. It affects how users think about their participation and actions. It affects how law enforcement thinks about their reactions. It affects how legislators think. Right now they act like there is some sort of magic fairy dust that you sprinkle on your technology and poof --- an impenetrable secure system. The result is devastating losses when (often inadequate) security processes fail.
Actually, this month's episode, which came in the mail this morning, talks about the same windows of exposure.
I can hartly recommend this newsletter to everyone!
Ivo
<grub> Reading
Sounds nice if you stay within the range of companies this article is focused on. But it sure will not do for every organisation out there. Allthough he stated this himself (For example, it makes no sense to purchase a $10,000 safe to secure $1000 diamond...) I'm surprised to see this in his final conclusion. For a small business the costs to maintain a M.S.M. system is far more expensive and has much more overhead then a solution based on prevention. Lets take this into 'normal proportions' and try some real life examples...
M.S.M. would take a system to track the entire stuff, a network operator (or more offcourse) to monitor the readings and take action once something is happening. Perhaps he can do this besides his normal work but that would reduce the whole effectiveness I guess. Is this effective? Sure, but don't look at the costs of this solution. To put it blunt; if I wanted something like this I'd go broke very soon.
When I compare this to setting up a masquing proxy & firewall with some "low-end" solution like ipchains (prevention), making regular backups (even more prevention) and finally having some very good insurances it becomes quite clear which is the best solution for SOHO's and up. When an attack is made it sure took 'm some time to breach my firewall. If that happens and I loose data I got backups and when they fail (unlikely) I'm still way off from going broke since my immediate costs to reduce the damage are covered as well.
Therefor I think that globally concluding that M.S.M. is the most cost-effective way, by standard, is not true.
I believe that secure systems *ARE* possible. And when I say secure systems I mean ABSOLUTELY secure systems. A computer is a finite machine. There are only so many possible states my PC can ever be in. There are even less possibilities for my palmpilot. Granted it boggles the mind to contemplate EVERY possible state of a modern PC -- but the set *IS* finite. I repeat: IS FINITE.
Whether or not it is financially possible to create a 100% secure machine should not be cause to abandon the idea and leap towards compromise. A beautiful example, is of course, OpenBSD -- the pursuit of an absolutely secure system *DOES* result in a more secure system. I'd take OpenBSD out of the box over any commercial UNIX with all the vendors' "window-limiting" products any day!
If your goal is a secure system -- then it is possible (even if unlikely) to create a secure system! If you goal is something else (profit, chrome, popularity, enlightenment, whatever..) then it probably isn't. SO, if YOU are trying to create a secure system don't let someone with another goal get in your way! (accounting firms, authors, vendors, users, managers, whom/whatever)
There is nothing abstract about system security -- and intentionally abstracting it to liability management or limiting window time is a lie -- even though it may be a white one.
Unfortunately, I've never heard of a business actually using this policy. All of them, including banks, brokerages, and the rest, are so greedy that they continue operations even with major vulnerabilites. Worse, they do not tell their customers that the vulnerabilities exist. In fact, they typically have shiny marketingware which extolls the security of their systems. Hackers and crackers are the only people aware of the vulnerabilities in the meantime.
In a system that I am building at work, I am including a "scram" function which provides central control for shutting down all network operations. Hopefully the scram combined with they type of intrusion detection system that Bruce outlines, will help me uphold my responsibility to my cusotmers.
To save a long anecdotal rant, the team, particularly the head of the team, were completly incompetant. Things didn't work, projects ran over budget, and serious holes (open relays) were left in place. Some projects would take weeks to complete, and he would not let them know their own firewall passwords.
The silliest aspect was that he believed that by adding a second NIC to a server, 2 processes could then listen on the same port on that machine, one on each NIC.
He also installed our firewall (previously we relied on a router with really severe port filtering rules in place). FTP from a browser was broken for 6 months, despite promises to fix it, until someone on my team got hold of the firewall password and fixed it himself.
They moved to exploiting another market, leaving a handful of broken installations with no effective support. They now sell web servers, and believe that the best web server product is Lotus Notes! Says it all, really! And they IPOd earlier this year. Not on f*ckedcompany.com yet.
The moral - even so-called security experts can be utterly hopeless.
This article was very interesting since it is one of the very few that argue for reactive management. All the biz buzzwords these days are for proactive management, ie, prevention.
One this I didn't see in the article is a rational discussion of costs. There are the obvious costs of security (administration) and insecurity (theft and fraud). But there are also much less obvious costs from lost business. These can be several times greater.
Lost business costs can come from both excessive (preventative) security, and from insufficient security. Excessive security is a hassle, and deters customers. Perceived low security might also deter customers if they fear they will lose something valuable (credit card numbers? data).
I think in any business security discussion, ALL these costs must be considered, not just the easy, hard $.