Slashdot Mirror
Information Security Fundamentally Wrong?
Joep Gommers writes to share his look at why the current approach to information risk mitigation is fundamentally wrong. Detection of an intrusion (incident), consists of three stages. Information Gathering, Information Processing and Information Reporting. If we look at the way we currently put these three stages together we see that efficiency, and therefore the percentage of possible accomplished risk mitigation, is poor. He claims that if every step taken in order to detect an incident is at 50% efficient, we will end up with thousands of dollars in firewalls, ids, event correlators, and outsourced security processes and very little progress in security. The article is noted as a draft, but still some interesting food for thought.
It goes just more in depth than this:
1. There is no way to formally prove in general that a program is logically correct. You can prove it formally for single programs, but then you don't have the formal proof, that your proof is formally correct (there are not only bugs in programs, there are also bugs in theorems about programs).
2. A programming environment is either primitive-recursive (and thus very simple and doesn't offer too much for programming) or it is Turing complete and thus capable (in theory) to host every conceivable program. There has been no solution yet for a set of possible programs, which is really smaller than the set of Turing computable programs and still really larger than the set of primitive-recursive programs. It's either Scylla or Charybdis.
3. There is always the problem of covert channels. As long as different entities share the same ressources, they can also communicate to each other. And communication means influence, and influence means not predicted situations which are not tested for (again there is the exception for a primitive subset of programs).
4. The solution to 3. is sandboxing: Creating a closed environment with non-shared ressources. Problem: You can't use it for much, because it is per definitionem not able to communicate to the outside.
5. The same arguments are also telling us that DRM doesn't work. DRM requires problems 1 to 4 to be solved.
As your mother used to tell you, prevention is better than cure - remember those graphs about how much coding mistakes cost to fix at various stages of the development process? Well, it's the same for prevention, detection and response, getting increasingly expensive.
Anyway, the article isn't loading right now, but the distinction between Information Gathering, Information Processing and Information Reporting is fundamentally artificial. They're all aspects of a single process, and yes, I used to do this for a living. Security's not hard - follow the lock-down guides for your host OSes and network devices. Run an IDS such as snort, and keep an eye on it. Keep abreast of current problems at isc.sans.org, frsirt and vendor's announcements. Make sure your users have good passwords and audit all logon failures. Tighten up your physical security and educate about social engineering. Then you at least have a good chance to keep the lid on things.
The real problem with security is that a lot of systems are overly complex and it's impossibly to really close off every possibile avenue of attack. Management always prefers a full feature set to the fuzzy notion of security - after all, they've never had a major incident up til now, so why change?
"It doesn't cost enough, and it makes too much sense."