Re: [ISN] Air Force raises bar on desktop security

From: InfoSec News (isn@private)
Date: Tue Nov 08 2005 - 22:04:42 PST


Forwarded from: Dragos Ruiu <dr@private>

On Tuesday 08 November 2005 00:17, InfoSec News wrote:
> http://www.fcw.com/article91318-11-07-05-Web
>
> By Frank Tiboni
> Nov. 7, 2005
>
> The Air Force plans to test its new Microsoft standard desktop
> computer configuration at five field sites later this month. The
> service wants to install the configuration on 70 percent of its
> computers by June 2006 and on the rest by the end of 2006, Air Force
> and industry officials said.
>
> The Air Force will distribute Microsoft software with standard
> security configurations servicewide to improve network security and
> management. Military and civilian agencies are watching the testing
> because they could use the software governmentwide early next year.
>
> Many security problems associated with Microsoft software occur when
> users do not properly configure their systems. As part of this
> initiative, the Air Force is standardizing desktop PCs that are set up
> with all appropriate controls in place.

Ok I have to call this one.

Be very careful. This is a very dual edged sword. There is great
strength in standardized configurations.

But you have to be _very_ careful that you get it right. Because you
are essentially setting up a monoculture. And if you get it wrong, and
there are flaws, it means an attacker who does get a vulnerability can
rip through your entire network like lightning. Mistakes in that
central configuration could be disastrous.

It also makes it a lot easier to test out exploits if there is only
one configuration variant to worry about. To harken back to biological
examples, it means a single virus can take out the entire population.
I don't know about you, but the thought of an attacker owning the
70%-100% of the U.S. Air Force in one swoop makes me a tad nervous.
All your eggs in one basket as it were.

Putting on my pen tester hat, the weakness of this approach is that it
removes one of the most difficult steps in remote penetration: the
enumeration and identification of the system configuration you are
attacking. You only need one set of offsets in your exploits, and you
can just get a copy of the standard configuration, and test it
leisurely in your single pc lab. When you get it right, you can take
down the target hard, as a complete surprise.

Sure, when individual sysadmins get to muck wth the configurations
they can introduce weakneses and mess up all kinds of stuff. But there
are some real dangers to setting up a centrally controlled homogenous
monoculture too. You may be doing the exact opposite of strengthening
the network - instead locking everyone into a common level of
mediocrity. That variability in configuration, that can introduce
weakness in the population, can also bring some measure of safety and
provide one more hurdle for digital attackers to overcome.

I used to work for many years at Hewlett Packard, where they had this
thing they call COE - common operating environment. As I can tell you
from using that system - no matter how well they sell you on the
wonders of central administration, it ain't all a bed of roses.  When
it sucks, it sucks hard. That's why my group used Macintoshes. :-)

This standard configuration approach puts a lot of responsibility on a
single group. And humans are never infallible. We make mistakes. We
should plan for and accept those mistakes...  and this approach does
not seem to account for this.

Of course this all depends on what is called a "security
configuration" and ymmv. "Configuration" is a sufficiently nebulous
term that this could mean all sorts of things from a rule saying that
everyone must turn on windows update, to a standardized os/driver
config that would make traget enumeration for attack a walk in the
park. But my intial reaction to this is not one of "Phew, they are
finally going to patch all their systems"  but rather "Ruh-roh, they
are locking the entire Air Force into a single, easy to attack,
configuration."

And I don't know if I feel so comfortable about that when we are
talking about computers for people equipped with nuclear explosives.

just one man's opinion,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    November 14-16 2005  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Nov 08 2005 - 22:14:31 PST