Showing posts with label breakers. Show all posts
Showing posts with label breakers. Show all posts

Thursday, August 13, 2009

Incident Detection Mindset

Often you will read or hear about a "security mindset," but this is frequently an "offensive security mindset." This attitude is also called a "breaker" mindset, described in my old post On Breakership. The offensive security mindset means looking at features of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical or digital worlds and reflexively figuring out ways to circumvent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security or lack of security. Johnny Long is one example of a person with this mindset -- pretty much every place he looks he is figuring out a way to profile or subvert what he sees! To a certain extent this mindset can be taught, although one could argue that truly exceptional offensive security pros have this mindset embedded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir DNA.

It occurred to me today, after writing Build Visibility In, that I have a different mindset. I have an incident detection mindset. Often when I interact with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical or digital worlds, I reflexively wonder how can I tell if this feature is trustworthy? For example, when I first received my Corporate laptop, I wondered "how can I tell if this box is owned?" When I received my Blackberry, I wondered "how can I tell when this device is owned?" In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 device is compromised, it is not trustworthy. How can I tell?

The prevailing security mindset is a "defensive security mindset," where security people are taught to plan for and resist incidents. This attitude is necessary but not sufficient. We need people who plan for and resist incidents, people who can detect and respond to incidents, and people who can think offensively to assist those who work defensively.

I believe all three of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se mindsets can be taught, but of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident detection mindset is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rarest. Working to develop an incident detection mindset is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goals of this blog, and of posts like this one and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last.

Saturday, June 27, 2009

Ugly Security

I read Anton Chuvakin's post MUST READ: Best Chapter From “Beautiful Security” Downloadable! with some interest. He linked to a post by Mark Curphey pointing out that Mark's chapter from O'Reilly's new book Beautiful Security was available free for download in .pdf format. O'Reilly had been kind enough to send me a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, so I decided to read Mark's chapter today.

I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following excerpts interesting.

Builders Versus Breakers

Security people fall into two main categories:

  • Builders usually represent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 glass as half full. While recognizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seriousness of vulnerabilities and dangers in current practice, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are generally optimistic people who believe that by advancing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better.

  • Breakers usually represent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 glass as half empty, and are often so pessimistic that you wonder, when listening to some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet hasn’t totally collapsed already and why any of us have money left unpilfered in our bank accounts. Their pessimism leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 art to exposing weaknesses and failures in current approaches.


I remembered I had seen something like this before and wrote On Breakership in response. However, back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 debate seemed to center around calling people who helped create and defend systems as "builders, while labeling people who exploited or at least tested systems as "breakers." Mark seems to have dismissed people who "break" systems in order to improve security, while praising builders as people who stay "optimistic." I don't think this is fair. My post Response to Is Vulnerability Research Ethical? explains my position, which is essentially that Offense and Defense Inform Each Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Next, in a section titled Clouds and Web Services to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Rescue, Mark describes how centralized data storage for his 6 home PCs at Amazon S3 is great for security. Unfortunately, all he is really showing is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is value in offsite storage. Storing data at Amazon S3 doesn't help much when those 6 systems are part of Calin's botnet in Romania. This is an example of focusing on one aspect of security (availability) while ignoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts (confidentiality and integrity). Don't get me wrong -- I think cloud storage is great and I use a variety of services myself. However, it only helps with one aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security landscape, and if not properly utilized introduces ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vulnerabilities and exposures not found in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r models.

Next Mark talks about using cloud services for data analysis.

Event logs can provide an incredible amount of forensic information, allowing us to reconstruct an event. The question may be as simple as which user reset a specific account password or as complex as which system process read a user’s token. Today cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are, of course, log analysis tools and even a whole category of security tools called Security Event Managers (SEMs), but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se don’t even begin to approach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities of supercrunching. Current tools run on standard servers with pretty much standard hardware performing relatively crude analysis...

[T]he power and storage that is now available to us all if we embrace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new connected computing model will let us store vast amounts of security monitoring data for analysis and use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast amounts of processing power to perform complex analysis. We will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be able to look for patterns and derive meaning from large data sets to predict security events racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than react to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. You read that correctly: we will be able to predict from a certain event cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of a tertiary event taking place. This will allow us to provide context-sensitive security or make informed decisions about measures to head off trouble.


Does Mark mean that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real problem we've had with detecting and responding to security events is a lack of processing power? Good grief. I hear thoughts like this quite often from people who don't actually detect and respond to security incidents. Even academic security researchers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ivory towers are probably laughing at Mark's angle. "Oh, you're right -- we've just been waiting for a supercomputer to run our algorithms!"

Mark cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n talks about using Business Process Management (BPM) software to improve security:

When security BPM software (and a global network to support it) emerges, companies will be able to outsource this step not just to a single company, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hope that it has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 necessary skills to provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate analysis, but to a global network of analysts. The BPM software will be able to route a task to an analyst who has a track record in a specific obscure technology (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best guy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world at hacking system X or understanding language Y) or a company that can return an analysis within a specific time period. The analysts may be in a shack on a beach in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Maldives or in an office in London; it’s largely irrelevant, unless working hours and time zones are decision criteria...

This same fundamental change to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business process of security research will likely be extended to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence feeds powering security technology, such as anti-virus engines, intrusion detection systems, and code review scanners. BPM software will be able to facilitate new business models, microchunking business processes to deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end solution faster, better, or more cheaply. This is potentially a major paradigm shift in many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security technologies we have come to accept, decoupling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 delivery mechanism. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, thanks to BPM software security, analysts will be able to select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best anti-virus engine and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best analysis feed to fuel it — but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will probably not come from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same vendor.


Again, this is so detached from reality, I am curious how anyone could think this is possible. Mark works for Microsoft. Would you ever imagine Microsoft pivoting on a dime to "select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best anti-virus engine and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best analysis feed" -- or would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y stick to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own product, because it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own product? What about your company -- have you witnessed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organizational inertia associated with any IT product or system?

How about trust factors? What if "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best guy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world at hacking system X or understanding language Y" works in a country with a reputation for industrial espionage? What if that guy was just hired by a competitor, or is working for a competitor now? How long does it take outside help to become familiar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aspects of your business that eventually determine success? There's a reason why companies are not collections of free agents working independently.

Mark's last section talks about social networking for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry, talking about how people should share what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know. There are indeed certain collaborative forums where this works, but you are seldom if ever going to find any serious company telling ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r companies how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security defenses work, how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y fail, and what is lost as a result of that failure. Individual collaboration occurs, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re could be severe consequences for a security staff member who unloads specific technical security information to a social network. The most productive associations that currently exist are found in certain private mailing lists, associations of peer companies that sign mutual nondisclosure agreements, and individual exchanges among peers.

Mark is a smart guy but I think his prognosis for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry in his Beautiful Security chapter are largely incomplete and unrealistic.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Tuesday, September 16, 2008

On Breakership

Last week Mark Curphey asked Are You a Builder or a Breaker. Even today at RAID 2008, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue of learning or teaching offensive techniques ("breakership") was mentioned. I addressed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same issue a few months ago in Response to Is Vulnerability Research Ethical.

Mark channels cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building architecture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me by mentioning Frank Lloyd-Wright. I recommend reading my previous post for comprehensive thoughts, but I'd like to add one ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r component. Two years I wrote Digital Security Lessons from Ice Hockey where I made a case for defenders to develop offensive skills in order to be "well-rounded." Why is that? Turning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building architecture idea Mark mentioned, why don't classical architects learn "offense," i.e., why aren't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y "well-rounded"?

It turns out that classical architects do learn some "offense," except cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 natural physics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir space and less on what an intelligent adversary might do. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, architects learn about various forces and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 limits of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir building materials, but usually not how to design a building that could withstand a Tomahawk Land Attack Missile (TLAM). Of course cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are a very few number of people who do learn how to design structures that can withstand TLAMs, but most architects do not.

Digital architects are waking up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equivalent of digital TLAMs constantly. Any system connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, or could be connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet one day, are vulnerable to digital TLAMs. Therefore, digital architects need to know how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se weapons work so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can better build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems.

It turns out that classical architects must also learn something about intelligent adversaries, especially as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terrorism threat occupies greater mindshare and drives building codes. Mindshare can be transitory but building codes are persistent. Even if we build mindshare or attention to security issues in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital space, we still lack a "building code." That means we will probably remain vulnerable.

Friday, May 23, 2008

Response to Is Vulnerability Research Ethical?

One of my favorite sections in Information Security Magazine is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "face-off" between Bruce Schneier and Marcus Ranum. Often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y agree, but offer different looks at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same issue. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest story, Face-Off: Is vulnerability research ethical?, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are clearly on different sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation.

Bruce sees value in vulnerability research, because he believes that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to break a system is a precondition for designing a more secure system:

[W]hen someone shows me a security design by someone I don't know, my first question is, "What has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 designer broken?" Anyone can design a security system that he cannot break. So when someone announces, "Here's my security system, and I can't break it," your first reaction should be, "Who are you?" If he's someone who has broken dozens of similar systems, his system is worth looking at. If he's never broken anything, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance is zero that it will be any good.

This is a classic cryptographic mindset. To a certain degree I could agree with it. From my own NSM perspective, a problem I might encounter is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discovery of covert channels. If I don't understand how to evade my own monitoring mechanisms, how am I going to discover when an intruder is taking that action? However, I don't think being a ninja "breaker" makes one a ninja "builder." My "fourth Wise Man," Dr Gene Spafford, agrees in his post What Did You Really Expect?:

[S]omeone with a history of breaking into systems, who had “reformed” and acted as a security consultant, was arrested for new criminal behavior...

Firms that hire “reformed” hackers to audit or guard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems are not acting prudently any more than if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y hired a “reformed” pedophile to babysit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir kids. First of all, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to hack into a system involves a skill set that is not identical to that required to design a secure system or to perform an audit. Considering how weak many systems are, and how many attack tools are available, “hackers” have not necessarily been particularly skilled. (The same is true of “experts” who discover attacks and weaknesses in existing systems and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n publish exploits, by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way — that behavior does not establish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bona fides for real expertise. If anything, it establishes a disregard for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community it endangers.)

More importantly, people who demonstrate a questionable level of trustworthiness and judgement at any point by committing criminal acts present a risk later on...
(emphasis added)

So, in some ways I agree with Bruce, but I think Gene's argument carries more weight. Read his whole post for more.

Marcus' take is different, and I find one of his arguments particularly compelling:

Bruce argues that searching out vulnerabilities and exposing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is going to help improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of software, but it obviously has not--cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 20 years of software development (don't call it "engineering," please!) absolutely refutes this position...

The biggest mistake people make about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability game is falling for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideology that "exposing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem will help." I can prove to you how wrong that is, simply by pointing to Web 2.0 as an example.

Has what we've learned about writing software cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 20 years been expressed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design of Web 2.0? Of course not! It can't even be said to have a "design." If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming, Web 2.0 would not be happening...

If Bruce's argument is that vulnerability "research" helps teach us how to make better software, it would carry some weight if software were getting better racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than more expensive and complex. In fact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter is happening--and it scares me.
(emphasis added)

I agree with 95% of this argument. The 5% I would change is that identifying vulnerabilities addresses problems in already shipped code. I think history has demonstrated that products ship with vulnerabilities and always will, and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of developers lack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 will, skill, resources, business environment, and/or incentives to learn from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past.

Marcus unintentionally demonstrates that analog security is threat-centric (i.e., cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world focuses on threats), not vulnerability-centric, because vulnerability-centric security perpetually fails.