 |
 |
|
December 31, 2003The Crock^H^H^H^H^H Art of IntrusionInformation security professionals sometimes are looked upon as soothsayers of the digital divide. Typically the outside world cannot fathom what we do, and how we do it. There are many examples I can give you to illustrate this, but the point is that many times we are misunderstood. Newer people to the infosec world love to try to use FUD (fear, uncertainty and doubt) to push their points home. This is normal, and it can be outgrown if the professional actually spends any real time in the field and realizes that information security is about mitigating risks, not eliminating them. The problem exists when these people get their "learning" from books written by witty hackers of the past. If you are a Kevin Mitnick or Adrian Lamo fan, you probably are not going to want to read any further. Still with me? Good. The problem I speak of is wearing blinders and thinking modelling after self-professed crackers is a GOOD thing. These guys have actually stated that they had good intentions when they were breaching systems. They did it for curiosity sake and meant to cause no real damage. People like Lamo have had WorldCom, SecurityFocus and TechTV giving him praise for his efforts and promoting him as an expert. Mitnick has already written a book about his social engineering skills in The Art of Deception, regularly speaks at security conferences and has started his own company. Although I cannot deny these gentlemen have great skills, promoting yourself as an information security professional because you can relate to them is a CROCK. Security is not a game. You will not become a respectable information security professional by 'doing a righteous hack' or simply reading a single book like Hacking Exposed or Mitnick's next one called The Art of Intrusion. Which gets me to the reason for my post. The Register posted a good article about Mitnick calling out to the hacking community looking for good stories to add to his book on the art of intrusion. For $500, you too can be published. *snicker* This is just dumb thinking. Profiling your attacker is one of the first logical steps when evaluating the threats you are susceptible to, and what risks you need to mitigate. What keeps me up late at night is not the nuisance from egotistical script kiddies that want glory in a book from Mitnick, or a few minutes on TechTV with Leo Laporte. It’s the professional hacker that is going to use these new blended threats we are seeing in the real world to cause real information theft or maybe terrorism on our critical infrastructure. It’s the insider attack from a disgruntled employee that will bring down an entire corporation to its knees, or perhaps destabilize parts of the economy. blah blah blah. You get my point. You see the real hacker (evil intruder connotation here) isn’t going to tell you about his exploits. He doesn’t get caught. He treats the digital domain as a field of espionage and respects the boundaries that he plays in. (Although I use the term respect loosely here) This is no better then the security vendors who offer money in contests to breach their new wiz-bang device. The reality is there is nothing wrong with vulnerability assessment, but this is not the way to go about it. A professional hacker isn’t going to waste his time breaching your system to gain a quick buck. If he has any real intent, it will be to make big money later if someone installs your new device in a real environment where the target is unaware, and has information resources worth something to the attacker. Typically this sort of ‘we are unhackable’ attitude comes from inexperienced vendors and professionals that are not seasoned in how the attack will work... and who will typically have very little real-world experience. So what am I trying to say? Well, if you want to be an information security professional don’t model after these guys. Feel free to read and learn from some of their experiences, but put it into context. Misguided in their pursuits, what they did was ILLEGAL. It was UNETHICAL. And it was WRONG. They used the guise of ‘curiosity’ to shield them from the very fact that they were TRESPASSING. The consequences of their actions had DAMAGING after effects to the target, if they knew it or not. There were REAL COSTS associated with having to deal with the cleanup of the incidents, and the time associated in the evaluation and analysis of what these attackers did. Worst of all, they continue to promote the action as something good for the security industry, when IT IS NOT. There was a good analogy that Lawrence Walsh wrote about in a Information Security magazine article a few months back about Lamo that I thought was bang on: You see an opulent house with many ornate windows and doors. Out of curiosity, you try to enter. By chance, you have a ladder and find an unlocked window on the second floor. From Lamo’s perspective, it’s completely acceptable to enter, rearrange the furniture and make a few long-distance phone calls, so long as you tell the owner how you did it. That thinking is WRONG. They undermine everything an information security professional should stand for, and its right that they be prosecuted to the fullest extent of the law. I wouldn't put much faith in 'war stories' sought out with small amounts of money from the hacking community either. The quality of the information of the attack is just not there. Posted by SilverStr at December 31, 2003 02:54 PM | TrackBackComments
Excellent article, but you may want to check this link you have in the paragraph starting "This is just dumb thinking. Profiling your attacker is one ..." (feel free to delete this comment when corrected) Thanks for pointing out the broken link! Posted by: SilverStr at December 31, 2003 06:28 PMBrava! And the hard part is getting these points across to management. Posted by: joat at December 31, 2003 07:02 PMThis dovetails with my thinking about pen-testing. It seems like there is an over reliance on "breaking in" as a means of proving something, yet in most situations all it proves was that it was possible. We already know that 100% security is impossible so the successful hack only proved what is already known. Far more important is: what mitigation measures did we take, where they appropriate, did we detect the intrusion, and did we respond appropriately? Posted by: Randy Bias at January 3, 2004 11:34 AMRandy, You bring up a good point. Absolute security is a myth. This aligns well with why my thinking on the 8 rules of Information Security work so well. Risk mitigation is about putting enough safeguards in to repell against the threats we wish to mitigate, while always having the ability to audit against scenarios we don't yet know about. But what pen-test can do for us efficiently is test given countermeasures and ensure they work as implemented. A proper pen-test should be able to answer if we could detect the intrusion, and if the safeguard was appropriate (did we stop it or not?). 'Black bag' type intrusion testing allows us even to see if IT staff will respond correctly once breached... assuming that the scenerio is caught. Part of the problem is that many a book uses pen-test as the only way to test the safeguards... which isn't enough. Its only one piece of the puzzle. I only wish books would state that better.. since most 'book-learned' infosec people miss that. Posted by: SilverStr at January 3, 2004 01:17 PMI have come across this conversation a lot in the past 8 weeks. I think (correct me here) that this is the year that (most) people realize: 1. Security is a Myth Seems over time the grand collective assimilates facts into common sense over the years. These days it would be a little silly in enterprise circles to advocate using virus software (those not using it today will never get it). It is a fact that is assimilated now, but wasn’t several years ago. A must read, for those who haven’t read it yet, is “Fear Factor” Just finally came back and checked the follow up comments. I agree wholeheartedly. 2004 is probably the year this clue is understood. To wander off topic... With regards to the book-learned infosec people, I think there is a more general problem that we're seeing now that security is more broadly understood. You've essentially nailed it on the head. It's an over reliance on book knowledge and standards to do the work for us. I think some folks forget that the whole "security" (hacker, cracker, whatever you want to call it) mentality requires critical thinking and analysis. You can't perform risk management by rote. I wrote a long article about information security policies trying to address this. If you run out and build your corp security policy on CoBIT or BS7799/ISO17799 it may be "more complete," but outside of your security organization it won't be understood by the very people who need to comply. This reminds me of the old maxim: The right tool for the job. It's the same for any kind of infosec work. Use what is appropriate for the actual requirements. Since 100% security can't be achieved let's work on achieving 80% of the right security for the requirements at hand. Posted by: Randy Bias at January 13, 2004 06:32 PMJust finally came back and checked the follow up comments. I agree wholeheartedly. 2004 is probably the year this clue is understood. To wander off topic... With regards to the book-learned infosec people, I think there is a more general problem that we're seeing now that security is more broadly understood. You've essentially nailed it on the head. It's an over reliance on book knowledge and standards to do the work for us. I think some folks forget that the whole "security" (hacker, cracker, whatever you want to call it) mentality requires critical thinking and analysis. You can't perform risk management by rote. I wrote a long article about information security policies trying to address this. If you run out and build your corp security policy on CoBIT or BS7799/ISO17799 it may be "more complete," but outside of your security organization it won't be understood by the very people who need to comply. This reminds me of the old maxim: The right tool for the job. It's the same for any kind of infosec work. Use what is appropriate for the actual requirements. Since 100% security can't be achieved let's work on achieving 80% of the right security for the requirements at hand. Posted by: Randy Bias at February 29, 2004 05:03 AM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
