Monday, March 19, 2007

there's more to security than just prevention

thanks to richard bejtlich for drawing my attention to this (because i find dark reading to be impenetrably dull)...

it appears that joanna rutkowska is trying to get the message across that there's more to security than prevention, that there's always some way around preventative measures and so you have to worry about detection as well... i can't pass up the two-fold irony here... first, joanna became a household name in security precisely because of her claim of making 100% undetectable malware, which should mean that focusing on detection is wasted effort... second and regarding the same claim, her undetectable malware is implicitly preventing detection... if she wants to bang the drum of no perfect prevention then more power to her, but she's going to need to eat her own dog food, as the saying goes...

richard echoes her sentiments though, and although there's a really good reason for all the focus on prevention (come on, say it with me now, an ounce of prevention is worth a pound of cure) i'll chime in with my own support for them too... security doesn't start and end with prevention (well, it might start there, but it definitely doesn't end there)... all preventative measures fail under some circumstances so it becomes important to try and detect preventative failures... i've written about the limits of prevention in an anti-virus context before (what i wrote applies equally well outside of the malware field) and when i did i made it clear that security doesn't end with detection either... it's all well and fine to detect a preventative failure, but then what?... after detection comes remediation - when you've discovered that your attempts to prevent bad things from happening have failed then you need to remedy the situation... in security one often will hear of the CIA triad; confidentiality, integrity, and availability are all things that security aims to maintain... well prevention, detection, and remediation form a triad too - they're the stages one goes through in the process of trying to protect something...

at this point you might be thinking that if security doesn't end with prevention and it doesn't end with detection then it must end with remediation because there aren't any elements left is this triad... one would be wrong for thinking that, however... remediation feeds back into prevention - since you don't want to have to keep applying the remedy over and over again you need to augment the preventative measures to help prevent what you failed to prevent before... prevention, detection, and remediation are a 3 stage cycle; they keep going indefinitely and each pass through the cycle makes security a little bit better/stronger....

4 comments:

Anonymous said...

Do the comments in this post apply to mathematically complete and closed systems Kurt?

kurt wismer said...

i'm going to have to admit to not knowing enough about mathematically complete and closed systems to know for sure, but i strongly suspect that they do...

prevention, detection, and remediation don't just apply to anti-malware security or computer security, they apply to physical security and really any other protective effort i can think of...

so long as perfect prevention is impossible (and i have difficulty imagining any situation where truly perfect protection isn't impossible) then you need to complement it with detection of preventative failures and remediation...

Anton Chuvakin said...

I am sorry, but how is it not obvious that "there is more to sec than prevention"?

kurt wismer said...

@dr anton chuvakin

y'know, i'm not really sure how it's not obvious, i just know that it does seem to need to be said...

to me (and i guess to you too) it seems obvious that there can be no perfect prevention so more than just prevention is called for, but it's also fairly clear that a lot of people expect to be able to prevent all bad or otherwise unwanted things...