Information Security Fundamentally Wrong?

← Back to Stories (view on slashdot.org)

Information Security Fundamentally Wrong?

Posted by ScuttleMonkey on Monday January 23, 2006 @07:04AM from the most-people-only-want-the-illusion-of-security dept.

Joep Gommers writes to share his look at why the current approach to information risk mitigation is fundamentally wrong. Detection of an intrusion (incident), consists of three stages. Information Gathering, Information Processing and Information Reporting. If we look at the way we currently put these three stages together we see that efficiency, and therefore the percentage of possible accomplished risk mitigation, is poor. He claims that if every step taken in order to detect an incident is at 50% efficient, we will end up with thousands of dollars in firewalls, ids, event correlators, and outsourced security processes and very little progress in security. The article is noted as a draft, but still some interesting food for thought.

35 comments

Min score:

Reason:

Sort:

Um... by Schraegstrichpunkt · 2006-01-23 07:08 · Score: 3, Insightful

Um... If we're going to redesign everything anyway, in order to support logging and analyzing every event, why don't we just design security into the system this time, and actually *prevent* security breaches?

--
http://outcampaign.org/
1. Re:Um... by brandonY · 2006-01-23 07:16 · Score: 2, Insightful
  
  You cannot build a completely safe and accessible system. There's always a legitimate way in, and someone always has a chance to find that way by brute force, blind luck, or social engineering. The goal of information security is twofold:
  1.) Make it not worth the effort. If it takes on average 10000 years, it's not worth it.
  2.) Make sure you know that your system has been breached.
2. Re:Um... by Sique · 2006-01-23 07:33 · Score: 4, Insightful
  
  It goes just more in depth than this:
  
  1. There is no way to formally prove in general that a program is logically correct. You can prove it formally for single programs, but then you don't have the formal proof, that your proof is formally correct (there are not only bugs in programs, there are also bugs in theorems about programs).
  
  2. A programming environment is either primitive-recursive (and thus very simple and doesn't offer too much for programming) or it is Turing complete and thus capable (in theory) to host every conceivable program. There has been no solution yet for a set of possible programs, which is really smaller than the set of Turing computable programs and still really larger than the set of primitive-recursive programs. It's either Scylla or Charybdis.
  
  3. There is always the problem of covert channels. As long as different entities share the same ressources, they can also communicate to each other. And communication means influence, and influence means not predicted situations which are not tested for (again there is the exception for a primitive subset of programs).
  
  4. The solution to 3. is sandboxing: Creating a closed environment with non-shared ressources. Problem: You can't use it for much, because it is per definitionem not able to communicate to the outside.
  
  5. The same arguments are also telling us that DRM doesn't work. DRM requires problems 1 to 4 to be solved.
  
  --
  .sig: Sique *sigh*
3. Re:Um... by MadMidnightBomber · 2006-01-23 07:34 · Score: 5, Interesting
  
  As your mother used to tell you, prevention is better than cure - remember those graphs about how much coding mistakes cost to fix at various stages of the development process? Well, it's the same for prevention, detection and response, getting increasingly expensive.
  
  Anyway, the article isn't loading right now, but the distinction between Information Gathering, Information Processing and Information Reporting is fundamentally artificial. They're all aspects of a single process, and yes, I used to do this for a living. Security's not hard - follow the lock-down guides for your host OSes and network devices. Run an IDS such as snort, and keep an eye on it. Keep abreast of current problems at isc.sans.org, frsirt and vendor's announcements. Make sure your users have good passwords and audit all logon failures. Tighten up your physical security and educate about social engineering. Then you at least have a good chance to keep the lid on things.
  
  The real problem with security is that a lot of systems are overly complex and it's impossibly to really close off every possibile avenue of attack. Management always prefers a full feature set to the fuzzy notion of security - after all, they've never had a major incident up til now, so why change?
  
  --
  "It doesn't cost enough, and it makes too much sense."
4. Re:Um... by Bush+Pig · 2006-01-23 09:13 · Score: 1
  
  Part of the reason is because it's really hard, maybe even impossible, to design a completely secure system.
  
  --
  What a long, strange trip it's been.
5. Re:Um... by lgw · 2006-01-23 09:42 · Score: 1
  
  Nice analysis! It's worth noting that covert channels are another apparantly-unsolvable problem. Possible covert channels have been found even in high security systems with hardware sandboxing once though to provably prevent infomation flow from a secure partition to an unsecure partition on the same machine.
  
  For example, a program in a secure partition can leak information to an insecure program through patterns of resource use that are detectable by traffic analysis on the insecure side. Attempting to isolate programs that are designed to cooperate in this way (to create a deliberate covert channel) just doesn't seem possible short of having secure and insecure systems share no infrastucture at all (which seems to be the path taken by the US government). You just have to assume that two processes on the same machine can find a way to communicate if they want to.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
6. Re:Um... by evilviper · 2006-01-23 12:22 · Score: 1
  
  4. The solution to 3. is sandboxing: Creating a closed environment with non-shared ressources. Problem: You can't use it for much, because it is per definitionem not able to communicate to the outside.
  
  No. Actually, it's just much more restricted in HOW it can communicate with the outside.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
7. Re:Um... by michelcultivo · 2006-01-23 13:39 · Score: 1
  
  Or why all the telecoms/ISP/netblock owners inspect the report that we send to him? I'm tired of sending a lot of reports of breaking tentatives to the netblock owners and didn't get the responses (in this case don't count the automatic responses).
  
  --
  http://www.michel.eti.br
8. Re:Um... by Schraegstrichpunkt · 2006-01-24 05:06 · Score: 1
  
  1. There is no way to formally prove in general that a program is logically correct . . . 2. A programming environment is either primitive-recursive (and thus very simple and doesn't offer too much for programming) or it is Turing complete and thus capable (in theory) to host every conceivable program . . . 3. There is always the problem of covert channels . . .
  Let me guess: You're a CS major, or you are repeating what you heard from a CS major?
  We're not anywhere close to approaching the theoretical limits of information security. All you need to do is to subscribe to any number of security announcement mailing lists (e.g. BugTraq or debian-security-announce) and you will see that the number of buffer overflows, arbitrary SQL injection vulnerabilities, and /tmp races -- problems for which solutions have been well-known for years if not decades -- is simply appalling. Heck, just look at the anti-virus industry (and more recently, the anti-spyware industry), something that would not exist if it weren't for the abysmally poor design of today's computing environments.
  At least until we get these problems under control, I'm not interested in hearing sermons about Turing completeness, covert channels, and the theoretical futility of ideal information security.
  
  --
  http://outcampaign.org/
9. Re:Um... by Sique · 2006-01-24 23:12 · Score: 1
  
  No, I am a technician without a formal education :) But I have coded in many different languages, and I found that you can create buffer overflows in about any language you want (Ever destroyed a spreadsheet by looping through cells and writing into the wrong rows?). Sometimes it's not the C equivalent, but having memory that is unaccounted for, is taken without content checking or writing data into places where it overwrites other data used by other routines is always possible. Returning data by reference is often unavoidable, but is prone to be wrongly overwritten.
  
  One-Off-errors are probably the oldest thing in coding, but they still happen. To know that a possible error can be happen doesn't protect you from that error.
  
  --
  .sig: Sique *sigh*
Unplug by Anonymous Coward · 2006-01-23 07:12 · Score: 0

Cheap and easy solution: unplug from the internet, shutdown the computer.
1. Re:Unplug by mencik · 2006-01-23 07:24 · Score: 1
  
  Cheap and easy solution: unplug from the internet, shutdown the computer.
  
  That would be a denial of service.....
2. Re:Unplug by Kozar_The_Malignant · 2006-01-23 09:18 · Score: 1
  
  >>Cheap and easy solution: unplug from the internet, shutdown the computer.
  
  >That would be a denial of service.....
  There are some instances where the air-gap firewall makes sense. I'm not personally that paranoid, but I am sure that there are isolated machines processing sensitive data where all i/o is via physical media.
  
  --
  Some mornings it's hardly worth chewing through the restraints to get out of bed.
3. Re:Unplug by mencik · 2006-01-23 09:25 · Score: 1
  
  I agree. It is the "shutdown the computer" that is the denial of service.
prevent breaches? by TubeSteak · 2006-01-23 07:14 · Score: 2, Insightful

why don't we just design security into the system this time, and actually *prevent* security breaches?
If we did something silly like that, then what would happen to security consultants?

On the one hand, they want you to be secure. On the other hand, they don't want you to be so secure that you no longer need their services.

Some people have a vested interest in maintaining the 'insecure' status quo.

--
[Fuck Beta]
o0t!
1. Re:prevent breaches? by Eightyford · 2006-01-23 07:17 · Score: 1
  
  On the one hand, they want you to be secure. On the other hand, they don't want you to be so secure that you no longer need their services.
  
  Sounds like drug compaines, car companies, and well, just about any profession. Even engineers make themselves needed by doing everything they're own strange way so that they can't be replaced easily.
  
  --
  Religion for nerds. Stuff that really matters
2. Re:prevent breaches? by Sheepdot · 2006-01-23 07:24 · Score: 1
  
  On the one hand, they want you to be secure. On the other hand, they don't want you to be so secure that you no longer need their services.
  
  I think the biggest single testament to this statement being true is the utter lack of insurance in IT security. I've never been a fan of *ANY* type of insurance (think about it, they must be making money or they wouldn't be doing it, which means that the risk is far too low) but IT insurance is one thing that just hasn't taken off. Which means that the risk is far too high of security breaches.
  
  Keep in mind that some of the best security minds are actually working on the other side of the fence. The guys that you hire to protect you are the ones that cannot make enough money as blackhats/criminals, or have a conscience (aka wife and kids), and couldn't possibly bring themselves to do harm.
3. Re:prevent breaches? by niftyzero · 2006-01-23 07:53 · Score: 1
  
  It's not that Engineers do things in a strange way on purpose. It's that engineers are strange.
4. Re:prevent breaches? by jotok · 2006-01-23 08:57 · Score: 1
  
  I disagree. As long as there are nogoodniks on the internet, you will need some people trained in IT security.
  
  What gets me is that so many services provided by the security goons should be taken care of by good sysadmins, such as maintaining up-to-date inventories of network devices, or knowing what "normal" traffic for the network is. I rarely find this to be the case, and so security consultants get hired on to do device discovery, network mapping, patch management, and traffic analysis. There WOULD be fewer consultants if local network admins were doing their job right, so perhaps we have a vested interest in their ignorance.
  
  On the other hand, if I didn't have to spend all my time explaining to admins getting paid $60k/year how to implement a DNS blackhole or how to use grep to find an IP in their firewall logs, then perhaps I could spend my time concentrating more on prevention than on mitigation (predictive analysis, etc.).
5. Re:prevent breaches? by sharp-bang · 2006-01-23 15:29 · Score: 1
  
  IT insurance is one thing that just hasn't taken off
  
  That's changing fairly rapidly as the cyberinsurance offerings mature and as the actuarial metrics improve. The emergence of generally accepted standards of due care is also helping. The folks I've talked to recently in the insurance industry (at AIG and Gallagher, to name two) are selling it hand over fist.
  
  It's also worth noting that not all IT risk is covered by specialized insurance. A fair amount of IT-related business risk can be covered by general business insurance.
  
  --
  #!
So... by Otter · 2006-01-23 07:16 · Score: 3, Funny

So, if you multiply some completely arbitrary numbers together and then multiply some wholly imaginary numbers together, the arbitrary numbers for real technology come out lower than the imaginary numbers for imaginary technology? Wow, I'm impressed!

--
What I'm listening to now on Pandora...
1. Re:So... by lgw · 2006-01-23 09:47 · Score: 1
  
  Doubt it not! My vaporware is better than your shipping product!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:So... by Anonymous+Brave+Guy · 2006-01-23 10:33 · Score: 2, Funny
  
  I think your explanation might be a bit complex...
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I'm not certain this is a rethink, really by Sheepdot · 2006-01-23 07:17 · Score: 1

The base of the issue is that malware works on multiple levels, but the example he provides (or what he seems to be hinting at, is putting physical security issues into a report? That's great and all, but very few malware authors actually go the physical route. That is more for armed robbery or internal (disgruntled employee) type threats.

I don't think this constitutes much change, just how things are reported, and maybe to who.
1. Re:I'm not certain this is a rethink, really by Zphbeeblbrox · 2006-01-23 07:23 · Score: 3, Insightful
  
  You obviously didn't read it carefully enough. The issue he addresses is that currently all the data from each layer is considered out of context. This makes certain types of attacks more difficult to identify. If you can consider all the data in the context of the other layers you have a more complete picture of your networks status. Most solutions right now though don't offer that kind of functionality. I think he's on to something.
  
  --
  If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
2. Re:I'm not certain this is a rethink, really by Anonymous Coward · 2006-01-23 07:49 · Score: 0
  
  There are several commercial solutions that have this kind of integration.
3. Re:I'm not certain this is a rethink, really by `Sean · 2006-01-23 08:02 · Score: 1
  
  If you can consider all the data in the context of the other layers you have a more complete picture of your networks status.
  
  You don't happen to work for Splunk, do you? ;) Sorry...when I read that all I could think of are those Splunk ads that have been plastered all over /. for the past few months.
  
  --
  PepperHacks - Hacking the Pepper Pad
4. Re:I'm not certain this is a rethink, really by IbeUID0 · 2006-01-23 08:02 · Score: 2, Insightful
  
  Not being able to read the (slashdotted?) article, it sounds like he's calling for companies to buy and install the latest series of security gizmos - the Security Event/Information Manager (SEM/SIM). This is truly the greatest generation of toys - it slices/dices/makes Julianne fries!
  
  The goal of these devices is to take the data from the varying sources - syslogs, firewall logs, IDS/IPS entries, and so on and correlate it in an automated fashion. The challenge with these solutions is that it's, well, hard to do right. How long did it take us to get a decent IPS device? If you count the Checkpoint/Realsecure connections (where Realsecure could modify Checkpoint rules), it was about 4 years between that and a functional IPS that organizations could effectively trust. The S(E/I)M is a pretty big step beyond that. That's why managed security providers are in business, and even their correlation engines aren't that advanced. It's a great idea, and would be great to see, but I'm not convinced the complexity issues can truly be overcome. Can we really take in all the data from our servers, switches, routers, firewalls, IDS/IPS, workstations, network managment systems, application logs, LDAP/AD logs, email systems, etc. etc. and create a cohesive top-down view? I'd love it, but I wouldn't want to try to write it.
  
  It reminds me a bit of ERP systems - great tools that managed everything and are amazingly expensive to purchase, customize, and use. Then again, if the security market goes that way, we'll have job security just installing the buggers.
5. Re:I'm not certain this is a rethink, really by Zphbeeblbrox · 2006-01-23 08:11 · Score: 1
  
  actually no. I never pay any attention to slashdot ads so I don't even know who they are :-)
  
  --
  If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
6. Re:I'm not certain this is a rethink, really by jotok · 2006-01-23 09:04 · Score: 1
  
  I've been able to implement just that using simple open-source tools, so I don't really see what the problem has been. The difficulty (aside from warehousing everything) is not really in gathering the data, but rather in what you want to get out of it, and how you analyze it...I have some automated tools I wrote myself to do simple data mining and anomaly detection on the data, but as you pointed out, for most companies the analysis side is underwhelming (top 10 lists and the like). I think there needs to be a marraige of data mining types with security device designers before these systems are really going to be useful.
7. Re:I'm not certain this is a rethink, really by Anonymous Coward · 2006-01-24 05:53 · Score: 0
  
  Well actually the base of the problem is not malware but a combination of every incident possible (according to the CERT/CC's Incident Taxonomy). The malware part is just to get people interested in reading, since it touches a familiar subject.
  
  Joep Gommers
that's funny.... by Anonymous Coward · 2006-01-23 08:57 · Score: 0

I thought the problem with Information Security was simply that most practitioners are incompetent. I guess it's easier to come up with longer answers though.

Seriously, bad people, ask for bad products, which create more problems and then the people ask for more bad products and nobody ever gets to the root of the issue (like, I dunno, trying to design simpler systems, among other things?)
I don't quite understand what better proposal 'has by RedLaggedTeut · 2006-01-23 09:34 · Score: 1

I don't quite understand what better proposal he has to offer.

It looks like the solution would be to build an IDS from one piece. Taken to the logical conclusion, one would somehow have to throw all network traffic at some mainframe for analysis.

Obviously one reason most IDSs are not built this way is that it is insane to analyze that amount of traffic. It seems more likely that one would instead try to tune the initial filtering steps to report more events to the next stage.

Also, the non-IDS based security which many care about basically centers about avoiding the big pandemics; I am not sure slashdot will have much offer from a more "professional" point of view. Hell, I don't even log the hits from slashdot on my proxy ports as an attack ;-)

--
I'm still trying to figure out what people mean by 'social skills' here.
Ah, a man/woman with a brain?? wow!! by DaedalusHKX · 2006-01-23 12:31 · Score: 1

Keep in mind that some of the best security minds are actually working on the other side of the fence. The guys that you hire to protect you are the ones that cannot make enough money as blackhats/criminals, or have a conscience (aka wife and kids), and couldn't possibly bring themselves to do harm.

Yep, whether under fascism communism, or corporatism, the best and most powerful individuals in history were always undergrounders, whether mafia bosses, lone shadowy figures cloaked in fear and confusion or simple psychotic priestly presidential usurpers www.whitehouse.gov :)

If you have never seen The Lord of War (Nicholas Cage movie, VERY VERY good and to the point, very surprising he'd have the nuts to say the shit he did in the movie)... GO SEE IT. I don't support the RIAA/MPAA, but that movie is a worthwhile deviance to buy (or download, as the case may be ]:)

~D

--
" What luck for rulers that men do not think" - Adolf Hitler
1. Re:Ah, a man/woman with a brain?? wow!! by Sheepdot · 2006-01-24 10:51 · Score: 1
  
  There's a reason why that movie was in the top ten bittorrented videos on piratebay, yes.