FW: Preliminary Lessons and Thoughts
From: Russ (Russ.Cooper@RC.ON.CA)Date: 09/21/01
- Previous message: Bruce Hughes: "Re: Trend Micro Fix Utility Removes Shares"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F1F1658@muskie.rc.on.ca> Date: Fri, 21 Sep 2001 16:27:40 -0400 From: Russ <Russ.Cooper@RC.ON.CA> Subject: FW: Preliminary Lessons and Thoughts To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
An insightful message I received from my good friend Bill Murray. Without
inferring he's aged, he's been around forever and his experience and
observations are well worth considering by anyone who thinks they know
security.
--- From: William Hugh Murray [mailto:whmurray@sprynet.com] Sent: Friday, September 21, 2001 10:42 AM Subject: Preliminary Lessons and ThoughtsPreliminary lessons:
We have an incredibly determined adversary. He is willing to lay down his life in his cause. While his resources are adequate to his plan, they are not unlimited, not those of a nation state. He can be expected to hit very hard but sparsely.
His modus operandi, not to say his objective, is to sow fear, uncertainty, and doubt.
Our adversary is an uncommon criminal, not a nation state. He may well have been armed and trained by nation states, including us, but has no loyalty to such states. He does not fear retaliation; he leaves behind no hostages to fortune or war. Indeed, he intends to provoke his victims into irrational and self-destructive behavior.
Traditional intelligence gathering and analysis techniques, e.g., SIGINT, Echelon, spies, used against nation states, will not work against him. He is far more likely to be vulnerable to those techniques, e.g., paid informants and large public rewards, used against common criminals.
When we respond by inefficient security, our adversary wins. For example, if we cripple our air travel industry with expensive, if ineffective, security measures, he wins. Note that in the current situation we are responding by tightening security over means, i.e., air transport, rather than targets, i.e., concentrations of people.
The network is not likely to be high on his list of targets. It is far more likely to be high on his list of means. He will use it to communicate, cooperate, and coordinate. He may use it to attack such targets as power plants, transportation, and financial services.
Fundamental security prinicples may serve us well. For example, classify targets; ensure that sensitive targets get necessary security while ensuring that expensive measures are reserved only for the targets that require them. Use defense in depth.
Thoughts about Response:
Our job is to deny our adversary the means while preserving the use of the net to ourselves.
In situations like this one, it is often easier to recognize one's friends than one's enemies. Historically we have authenticated our friends only as they approached the application. Defense in depth says that we must authenticate both end-to-end and at the edge.
Similarly, traffic between parties known to one another is safer than scans, probes, and spam. This kind of traffic must be resisted as close to the source as possible. [Can you say secureIP. It is an idea whose time has come.]
We must authenticate both the user and the device. [Give IP addresses only to devices whose MAC addresses are recognized.]
Those who provide edge access to large numbers of users must take responsibility and accountability for those users. For example, AOL does a much better job than other ISPs, universities, and enterprises. AOL can do better; others must do much better.
Edge authentication suggests edge accountability. (I much prefer to have events and traffic recorded at the edge, for an agreed upon length of time, by a contractor for the user, than to have government surveillance of all traffic in the middle.)
Securing the means implies that firewalls must resist the flow of attack traffic in BOTH directions. [Trying to resist CodeRed and its variants exclusively by patching the targets has proved futile.]
Much of the attack traffic in the network is hidden in other traffic; we must resist the flow of those objects which are used to hide other objects. Read "attachments." Whether or not we use them, we must have controls in place that permit us to quarantine any and all incoming traffic.
We must take signalling and control out of band. [IT is the only infrastructure technology in the world that puts controls intended for the exclusive use of the managers of the infrastructure right next to those intended for users. Permitting managers to logon on the same media, interface (NIC), and in the same codes as application users is the moral equivalent of remoting the autopilot of the 747 to every entertainment console in the plane.]
The events of the last year demonstrate that we are adding necessary controls late and sparsely. For example, DoS attacks demonstrate the need for upstream controls. Such controls need to be standard.
These things do not seem as extreme this week as they did at the beginning of last week. Nobody promised you that securing the network would be easy.
William Hugh Murray, CISSP ---
============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ScanMail is the first antivirus solution that seamlessly integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail ensures 100% inbound and outbound email virus scanning and provides remote software management. Download a FREE 30-day trial copy of ScanMail and find out why it is the best: http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 ============================================================================
- Previous message: Bruce Hughes: "Re: Trend Micro Fix Utility Removes Shares"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
