Wednesday, December 05, 2007

why X is insecure - and probably always will be

about 2 weeks ago (old i know) you may have come across these two articles (by drazen drazic and lonervamp respectively) about why businesses are insecure (the 7 reasons why businesses are insecure and more reasons why businesses are insecure)...

i'm sure they're very good business reasons for why businesses are insecure, but i'm also sure that a business that addressed all of these problems would still be insecure for reasons that have nothing to do with that business or businesses in general or business security in general...

the fact is there's a technical reason why virtually any non-trivial thing (of which anything computer related would definitely fall under) we'd want to secure is almost certainly not secure and probably never will be... i'm not talking about the fact that there is no such thing as secure, rather i'm talking about the asymmetric relationship between attack and defense... if you're trying to defend something you have to try to defend it from all possible attacks, but if you're trying to attack something you only need to find one successful attack vector...

clearly defense takes a lot more work and that's a problem, but it's not clear that we can ever really change that... if we were going to try to change it, though, how would we go about it? the two obvious answers are: 1) make defense easier (presumably by reducing the amount of possible attacks we need to defend against), or 2) make finding that one successful attack vector harder...

making defense easier sounds good but it's easier said than done... sun tzu talked about this very thing when he said that one should force the enemy to engage in an environment of one's own choosing and thus choose what one has to defend and what the enemy can attack (art of war, part 6: weak points and strong)... now you might be tempted to limit the scope of your analysis to an arbitrarily narrow frame of reference (as schneier does here when he refers to cryptography to the exception to the rule of asymmetry between attack and defense) but in reality that doesn't actually get us any closer to our goal of reducing the amount of defenses we need... what we would really need to do is reduce the pool of potential attack vectors, to literally remove things from systems that could be used as an avenue of attack... that means fewer hosts on our networks, less diversity amongst the hosts on our networks (gasp! yes, i said it - diversity is great for minimizing the overall effect a successful attack has on a given population of hosts but it increases the pool of potential attack vectors and so makes compromising assets on the network easier; in essence, what's good for availability may not be so good for confidentiality), fewer services running on those hosts, fewer system components exposed to incoming content (ie. browsers, email clients and other network clients/servers that can do less/have less functionality), less potentially sensitive data stored on those hosts, etc... unfortunately this is completely backwards when viewed through the lens of technological progress, and while minor efforts in this area are no doubt considered beneficial, it would take extreme measures (perhaps even beyond the realm of the realistic given the complexity of modern operating systems) to actually make a significant change in the asymmetry between attack and defense for a system...

making it harder to find that one successful attack vector isn't necessarily a piece of cake either... there's one fairly well known school of thought that posits that reducing the number of vulnerabilities will shrink the pool of potentially successful attack vectors... this school of thought may be right, in a theoretical sense, but in practice it's starting to look like the total number of vulnerabilities is high enough that patching vulnerabilities at the rate we're going right now isn't really having that big an impact on the difficulty of finding a successful attack vector... another well known approach is to devise a system where the attacker has to successfully defeat multiple defenses in order to be successful on the whole... this is, of course, defense in depth... naively one might think this could put attacker and defender on more or less equal footing because now not only does the defender have to defend against a large number of possible attacks, the attacker has to breach a large number of possible defenses... unfortunately, there are only so many defenses one can reasonably deploy and, even with all of them deployed, the amount of work an attacker has to do still won't compare to the amount of work required for defense - nevermind the fact that all those defenses carry with them potential vulnerabilities which could themselves be used in an attack...

that said, it isn't necessarily true that we can't use the asymmetry to our benefit... we can, we just can't do it as a defender... richard bejtlich would i'm sure suggest what he likes to call threat-centric security but which, in the context of this post, i'll call offensive security - that is where we (who have things that need defending) go and 'attack' (as in track down, identify, charge, and imprison) those who would attack us... to quote sandi hardmeier:
Also - I have a special warning for the bad guys - you can hide from some of us, but you can't hide from all of us, and you most certainly cannot hide from your victims.
alas, this too is a kind of defense, and although we can turn the asymmetry around for individual cases, to actually protect our systems this way we'd need to go after all potential attackers (which is an unknowable set of people) whereas the attackers realistically only need to worry about the actual organizations/people they attacked (which is a much smaller and more knowable set of people)... ultimately, reducing the pool of attackers is much the same as reducing the pool of vulnerabilities - for each one you remove there's more where that came from...

so there really doesn't seem to be a good way to turn the asymmetry around and make defending easier than attacking... there are things that can improve the situation to some extent but it can be a real balancing act sometimes...

3 comments:

LonerVamp said...

Good post! Kinda feels like normal law enforcement types of security. They're not going to stop everything (vulns) and everyone (threats) nor protect all assets (people and things in an area). It just doesn't happen and never will.

I like Richard's ideas on going after threats, and I think that is a very effective method, but suffers from the "Well, that's great if you have that power, but I don't" and "For every one there's two more..." problems.

Will we ever solve all the vulns? Nope. Will we make defense easier? I wish...at least most of us have some sort of control over this. Sadly, businesses moving foward almost always run counter. Business unit A wants this tool, Business unit B wants this tool, both widely divergent but both justified through business...accepted risks, limited budgets and trained IT staff, and so on. All really makes it difficult to run a clean, streamlined shop.

Makes me sound doom and gloom when I simply think it's realistic. :)

kurt wismer said...

this is all about prevention, of course... i wonder if maybe we shouldn't pay a lot more attention to detecting preventative failures... i think we may actually have the numerical advantage there as (in a classic role reversal) the bad guys have to defend against all possible ways of discovering the compromise while we only have to find one successful method to detect the compromise...

LonerVamp said...

You know, that's an interesting way you put it. I truly do put more emphasis on detection and logging and basically making sure we know as much as we can about our environments. Even weird anomalies can tip an intruder's hand.

I think you're onto something!