tag:blogger.com,1999:blog-6936134049134982166.post8268568538807345772..comments2023-09-11T04:09:47.079-04:00Comments on Devil's Advocate Security: Are security departments wasting their time?Davidhttp://www.blogger.com/profile/00465683521970634631noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6936134049134982166.post-20446989003579233622008-02-08T11:03:00.000-05:002008-02-08T11:03:00.000-05:00"Like most discussions like this, I suspect that g..."Like most discussions like this, I suspect that given a face to face discussion, I'd find that I agree with Mr. Tippett more than I agree with his quotes in the article."<BR/><BR/>indeed, an interactive conversation allows for semantic clarification that just isn't possible when dealing with a static article...<BR/><BR/>"My emphasis here is really that the risk must be appropriately measured and countered."<BR/><BR/>this much i actually agree with... mitigating a small percentage of high impact incidents does seem like it could be more worthwhile than mitigating a larger percentage of low impact incidents...<BR/><BR/>"As for the sunroof quote - I don't think I twisted the metaphor - the original quote is, "<BR/><BR/>that quote again describes exploitation, not simply the vulnerability... you equated exploitation with the vulnerability itself, which confuses the issue and lead to what seemed to me to be a non-sensical extension...<BR/><BR/>"You'll note that my emphasis isn't really on flawless process, but on assessing the problem and applying an appropriate level of care. Understanding why you're doing it, and what the risks are in your approach is useful."<BR/><BR/>which means you're precisely <B>not</B> the type of security practitioner that mr. tippett was referring to... that doesn't mean that the type of practitioner he was referring to isn't out there though...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-6936134049134982166.post-33591560038977105582008-02-08T00:27:00.000-05:002008-02-08T00:27:00.000-05:00Excellent points Kurt. Like most discussions like ...Excellent points Kurt. Like most discussions like this, I suspect that given a face to face discussion, I'd find that I agree with Mr. Tippett more than I agree with his quotes in the article.<BR/><BR/>I think that hunting vulnerabilities is part of the patching process, and that they will be found, either by the good guys or the bad guys. For many of the good guys, it makes sense to hunt because the cost is too high if they're found by the other side.<BR/><BR/>My emphasis here is really that the risk must be appropriately measured and countered. If you're building custom web applications, you need to protect yourself against vulnerabilities, and you need to do an appropriate amount of testing - probably at multiple points in the software development lifecycle. If you're a software vendor, you need to test your software - if for no other reason than to protect yourself from liability and losing upset customers.<BR/><BR/>If his numbers are correct and none or very few of those vulnerabilities would have been exploited, of course we're wasting money and effort. If you step back and look at the tightening of the time from vulnerability announcement to exploit release, and the pressure that has put onto the software industry, and if we had the same statistic for a class of, say, local admin vulnerabilities, we'd be looking at a very different and worthwhile number. <BR/><BR/>Let's chalk this one up to as statistics with no detail are useless except to impress the masses.<BR/><BR/>With that said, the basic, and in most cases, quite reasonable presumption of a hostile environment means that there is a continued need to spend money, time, and effort. We have to hunt, because someone else will if our resources are worth protecting.<BR/><BR/>As for the sunroof quote - I don't think I twisted the metaphor - the original quote is, <BR/><BR/>"If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver," he said. "It isn't very likely, but it's possible"."<BR/><BR/>Similarly, if I send a string of characters to a webserver, I might manage to crash it. It's not very likely, but it's possible. <BR/><BR/>The problem is that that web server is what my business depends on to conduct e-commerce. Or that bug is a crash bug in an generator control system, or it is the login script for college admissions. Interconnected systems mean that hunting vulnerabilities often means fixing relatively obscure things to ensure that they're not escalated.<BR/><BR/>If we were in an environment in which people frequently looked for ways to get arrows into cars, and if we had high value assets in the cars, then we would have to gauge the risk appropriately. His statement covers part of the risk spectrum, and I'll agree that in some organizations, too much time is likely spent fixing sunroofs, but there are very valid threats out there that need to be taken care of. Dismissing them as unlikely *can* (not is, but can) be a mistake. I'll point to my <A HREF="http://devilsadvocatesecurity.blogspot.com/2008/01/risk-management-denial-strategy-that.html" REL="nofollow">post</A> on denial in risk assessments there. We're in an era where automated tools can take on an application and find holes automatically, and in which there is often a paycheck associated with finding a new way to compromise systems.<BR/><BR/>As long as owning systems pays, there is a financial reward to shoot arrows through sunroofs.<BR/><BR/>(I'm officially marking the metaphor as dead due to an arrow through the sunroof now.)<BR/><BR/>Finally, you're right that the direct quote is "that my organization will be more secure". The key is the follow-up though - "But studies have shown that there isn't necessarily a direct correlation between doing these processes well and the frequency or infrequency of security incidents". <BR/><BR/>As I stated, I don't believe that simple statistics are sufficient, or that current reporting is accurate enough to make broad statements about practices. The two practices he cites are some that I've seen be real saviors to organizations. If you asked me "is penetration testing necessary for all organizations" I'd likely have reacted differently! <BR/><BR/>Typically, security practices should have multiple reasons for implementation - flawless antivirus patching is probably in response to virus outbreaks, and vulnerability patching is likely there to ensure that you don't miss that critical server. If they're done only because they're on a checklist of best practices, I'd still find it hard to argue with - having been in organizations that learned the hard way that they should have implemented them fully.<BR/><BR/>You'll note that my emphasis isn't really on flawless process, but on assessing the problem and applying an appropriate level of care. Understanding why you're doing it, and what the risks are in your approach is useful.Davidhttps://www.blogger.com/profile/00465683521970634631noreply@blogger.comtag:blogger.com,1999:blog-6936134049134982166.post-44450344220328081952008-02-07T22:28:00.000-05:002008-02-07T22:28:00.000-05:00"In today's IT workplace, it is difficult to justi..."In today's IT workplace, it is difficult to justify not actively patching vulnerabilities and monitoring for them."<BR/><BR/>it's difficult to imagine he was referring to that practice... once a vulnerability becomes publicly known and a patch has been made, it makes sense to patch... <BR/><BR/>i believe he was instead referring to the hunting of vulnerabilities... if his figures (in their broadest interpretation) are correct then certainly it was a waste of time finding and creating patches for most of those vulnerabilities...<BR/><BR/>"To expand the metaphor, if vulnerabilities are seen as similar to shooting the sunroof of a vehicle,"<BR/><BR/>this isn't expanding the metaphor, it's twisting it... the fact that an arrow can pass through the sunroof is the vulnerability, actually firing an arrow through a sunroof is exploiting the vulnerability...<BR/><BR/>"Is vulnerability research the end-all solution to security? No. Is it necessary? At least in the foreseeable future it will be. The perfectly safe car hasn't been built, and the perfectly secure computer hasn't been either."<BR/><BR/>while the perfectly safe care hasn't been built, arrows through the sunroof is a ridiculous thing to waste time on because no one is doing it, just as no one is exploiting most of the vulnerabilities...<BR/><BR/>"Tippett comments that people believe that perfect process can make an organization more secure."<BR/><BR/>i'm pretty sure his comment was that people believe it <B>will</B> make an organization more secure, not that it <I>can</I>... hopefully you can see the distinction...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.com