Re: [ISN] Security myths costing firms

From: InfoSec News (isnat_private)
Date: Tue May 07 2002 - 23:10:17 PDT

  • Next message: InfoSec News: "[ISN] Caution Urged On Corporate Exemptions In Security Bill"

    Forwarded from: rferrellat_private
    
    > A better approach was to employ "synergistic security", which hinged
    > on the concept of redundancy in security controls, Dr Tippett said.
    
    An even better and more effective approach is to stop relying solely
    on patches, IDS, firewalls, and other software to protect your
    networks.  Human beings with training and experience must be sitting
    there watching these tools work, and reading the logs they produce.  
    
    Relying on software (and hardware, for that matter) to keep your
    enterprise safe is like slapping a motion detector on your front gate
    and calling it secure.  If there's no living person watching your
    portal, someone circumventing its security is not only possible, it's
    more or less inevitable.
    
    > Better technologies only accounted for a tenfold improvement in
    > safety; better education and better practices had multiplied this a
    > hundredfold.
    
    Better education and practices of systems administrators and users, to
    be precise.
    
    > At a bare minimum, companies should have either two primary controls
    > (with greater than 90 per cent effectiveness), or a primary and at
    > least three synergistic controls for each category of risks.
    > "Failure of any one control in a scenario like this would still
    > leave better than 99 per cent effectiveness," Dr Tippett said.
    
    Yeah, great, but don't forget the human element.  The infosec industry
    needs to emphasize that people, not computers, are the best defense.  
    Without trained professionals analyzing the data collected by an IDS,
    for example, it's just not very useful.
    
    Until infosec heuristics begin to approach human levels of
    sophistication, the best hardware on the planet is just a fancy
    screwdriver.
     
    > 'Encryption over the internet is important.' 
    > 
    > But Dr Tippett said the increasing speed and complexity of networks
    > meant it was almost impossible to inspect traffic for a single
    > message.
    
    Way too general.  Encryption of what?  If you're in a high risk
    business or just paranoid about your personal privacy, encryption is
    quite important.  This statement only seems to cover email encryption.
    
    The major uses of encryption on the public Internet are SSL, SSH, and
    VPNs, however, which encrypt all traffic. If you want to send your
    SSN, credit card numbers, and proprietary data in plaintext, be my
    guest. This sort of cavalier attitude is what makes online identity
    theft so easy.
     
    > 'More obscure end-user passwords are advisable.'
    > 
    > There was no measurable benefit, he said.
    
    Sorry, my BS detection meter just went off.  I hope this statement is
    simply taken out of context.  A quick look at the number of
    intrusions, expecially of Microsoft-based systems, which began with a
    cracker brute- forcing a user password will quickly dispel any notion
    that password construction has no 'measurable benefit' on security.  
    
    There are a lot of password-cracking programs out there, and the
    reason people have devoted so much effort to their creation is that
    cracking passwords is one of the easiest and surest ways into a
    system. Once you're in, privilege elevation attacks are usually fairly
    straightforward.
     
    > Dr Tippett said daily updates were only 1 or 2 per cent better than
    > weekly updates.
    
    I agree with this.  If antivirus companies would stop relying on
    pattern-matching and start incorporating more heuristics-based
    detection, however, the need for regular updates would disappear.
    
    > Vulnerabilities have to be quantified in terms of the probability of
    > a threat succeeding. In many cases, a threat would not be worth
    > worrying about.
    
    True.  But who's going to look at every vulnerability that is
    announced and evaluate it in terms of its probability of exploitation
    on a given system? That requires a trained and dedicated analyst.  A
    human being.  See above.
    
    > Just get firewalls up to 90 per cent effectiveness and ensure
    > default router rules are not overridden, Dr Tippett advises.
    
    Well, at least change default passwords and community strings.
     
    > "It's about concentrating on essential practices, rather than best
    > practice," Dr Tippett said.
    
    And the essence of information security is the human element driving it.
    
    RGF
    
    Robert G. Ferrell
    rferrellat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 03:49:48 PDT