(no subject)
From: Lohkee (lohkee@worldnet.att.net)Date: 07/12/02
- Next message: roger wang: "Re: How to pass through a SSL connect by a http proxy?"
- Previous message: : "Virus Scan for website to upload file"
- Next in thread: HC: "(no subject)"
- Reply: HC: "(no subject)"
- Reply: Jeff Cochran: "(no subject)"
- Reply: bardia: "(no subject)"
- Reply: Jeff Makey: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <lohkee@worldnet.att.net> Date: Fri, 12 Jul 2002 02:13:40 GMT
Computer Security Revisited (draft/preview)
Copyright (c) 2002 by Lohkee!
All Rights Reserved
The United States Government has the financial muscle to purchase the best
security in the world and spends hundreds of millions of dollars on an army
of professional security consultants and state of the art technology each
year to prove it. In spite of this, many of its premier three letter
agencies have been repeatedly penetrated by school children with too much
time on their hands who are either unaware of, or unimpressed by, the
enormous amount of money being spent to keep them out. In one of the more
incongruous instances of Internet vandalism, the official website and
several servers belonging to the United States General Accounting Office
were successfully attacked by a group of electronic graffiti artists.
Evidently, the people who routinely audit computer security in other
government agencies had some real difficulties when it came to securing
their own Internet-connected systems. The private sector has fared no
better. The System Administration Networking and Security (SANS) Institute
bills itself as a cooperative research and education organization comprised
of more than 156,000 systems administrators, auditors, and security
professionals that are dedicated to sharing information and finding
solutions to network security problems. SANS also provides high-end
technical training in the field of information systems security and issues
certificates of professional competency to those who can afford to pay the
price and meet their standards. With all of this combined expertise you
would think that they could do a little better than most when it comes to
creating and maintaining a secure website. Apparently not; their system was
penetrated by an individual who, adding insult to injury, replaced the SANS
homepage with one of his own design that rather prominently displayed the
question "would you really trust these guys to teach you computer security?"
A very interesting question in an industry where image is everything and all
anyone really has to offer is his or her credibility. Perhaps a better
question would have been "How much are you willing to pay these guys to show
you how to secure your web-site when they obviously have not yet figured out
how to secure their own?" The SANS institute, by the way, is by no means
the only professional security organization to have been successfully
attacked and publicly humiliated.
I have performed numerous risk analysis and penetration tests during the
past twenty years in a variety of environments, and yet, the final reports
may as well have been carbon copies of each other. It is not so much that
each system had a particular flaw; it is that they all had the same flaws!
There were unable to control access to sensitive information and other
critical resources in accordance with their organization's stated policy, or
to properly identify and hold users accountable for their actions while on
the system. And yet, with very few exceptions:
· The organization had a comprehensive security policy in place.
· The organization had made a substantial financial investment in their
information systems security program.
· The technology needed to mitigate (or altogether eliminate) the identified
vulnerabilities was in place at the time of the test. It was either not
being used to its full potential or, more often the case, not being used at
all.
· There was no readily identifiable business reason, such as the inability
of a mission critical application to run in a more restrictive environment,
for not using the available technology.
One of the more remarkable similarities was that management at all levels
within these various organizations had routinely taken the somewhat bizarre
step of actively participating in the undermining of their own directives!
It makes little sense to spend a lot of money on very expensive locks for
hundreds of doors if you are then going to turn around and tell people not
to lock those doors. Like a bad joke, it can also blow up in your face:
"All of the directors are feeling absolutely gutted since we have all spent
nearly six years building this company and its reputation only to see it
destroyed by a brazen act of cyber terrorism, at this moment we can think of
no words to express our true feelings." A company dies and jobs are lost
after a devastating attack via the Internet by an unknown assailant in
January of 2002. They gambled on quantity versus quality and lost!
Organizations, both in the public and private sectors, spend hundreds of
millions of dollars each year on information systems security and yet,
despite being a fairly straightforward task, it continues to remain an
elusive destination. There were over 22,000 successful attacks documented
during 2001, many involving high profile companies, some involving the loss
of very sensitive information, all involving public humiliation and the loss
of credibility.
How can so many people, from so many different environments, with so much to
lose, screw up something so inherently simple, so consistently?
Most of the people now working in the technology sector (ages 18 to 45) have
literally grown up in a never-ending cycle of software upgrades that has
effectively programmed them to take for granted the ever-growing capability
and connectivity provided by their personal computers, regardless of whether
they actually need or ever use it. The personal computer has replaced the
dumb terminal of yesterday as the workstation of choice in most
organizations, and with this new technology, has come a change in attitudes
and expectations regarding the concept of what a workstation is, and how it
should work. People have come to expect, and in some cases even demand, the
same capabilities from their workstation as they do from their home
computer. Many now seem to feel that they have some kind of a
"constitutional right" to conduct personal business using the company
network while on their breaks. This extremely dangerous mind-set is
prevalent from the boardroom on down within many organizations and the
professional security community is no exception. At least one government
official responsible for security has implemented a policy allowing the
employees of his agency to use their workstations for sending e-mail or to
conduct personal business via the Internet while on break. He has basically
told every attacker on the planet that may be interested how to best gather
intelligence and launch a successful attack against his organization. This
same executive has developed and currently teaches graduate-level courses on
information systems security! Sigh! These attitudes are the Achilles heel
of our electronic infrastructure and the bad guys are well aware of it. It
is, after all, what has enabled them to consistently and effortlessly stay
one step ahead of the professional security industry for so many years.
Alarmist? As a nation, we have repeatedly proven ourselves incapable of
preventing a haphazard group of relatively untrained children from
penetrating our networks or wreaking havoc with poorly written computer
viruses. What will happen when our adversary is a tightly coordinated group
of highly trained professionals with some kind of an agenda and the funding
to back them up?
Many of the people working in security today, certified or not, are
incompetent for no other reason than they are operating under the same basic
paradigm as those whom they are trying to protect, which is: "That which is
not explicitly prohibited shall be systematically permitted." The most
fundamental principal of security is exactly the opposite: "That which is
not explicitly permitted shall be systematically denied." Operating under
the same paradigms as those you are trying to defend has been long been
recognized as a generally fatal error in any type of protection business.
Unfortunately this very elementary but very dangerous mistake has spread
throughout the security community. An analysis of any of the numerous
security configuration guides found on the Internet (many of which can be
found on sites run by NIST, NSA, and NIPC) will reveal that most fall victim
to, and in turn propagate, this grave mistake. The problem is that many of
today's security analysts use the term "workstation" but can see only a
personal computer, and in the process, overlook the obvious. They have a
very good command of the industry jargon but have yet to grasp the most
fundamental concepts of security, or how to apply them.
It is not at all difficult to understand how this may have come about. Ten
years ago experienced professional security analysts were a very rare
species indeed. Most of us had obscure jobs in the financial or
intelligence communities and remained largely unknown to all but a few of
our colleagues. With the explosion of personal computers in the business
environment came the inevitable attacks and need to deal with numerous
thorny issues that no one had taken the time to consider beforehand. A
lucrative new market came into being. Almost overnight there were literally
thousands of so-called "professional" security analysts and experts. Most
were essentially self-proclaimed with no security specific training or
experience. Many were grossly incompetent and offered dangerous advice.
Some became consultants. A few became writers. By right of being "first on
the scene" they became the gurus who taught those that followed. The
resulting cancer has spread like wildfire.
How can so many people, from so many different environments, with so much to
lose, screw up something so inherently simple, so consistently?
The commonly accepted foundation upon which they are all attempting to
implement security is fundamentally flawed! They keep trying to create a
secure environment while at the same time refusing to let go of the wide
open anything goes atmosphere they are all so familiar with and have come to
take for granted. One is the antithesis of the other, making it a forgone
conclusion that trying to achieve both is never going to work.
Unfortunately, as long as they insist on trying to merge two diametrically
opposed ideas, organizations will be forced to suffer the considerable
trouble and expense of building (and then constantly renovating) security
infrastructures that are essentially destined by their very design to fail
just when they are needed the most! It is that simple.
It doesn't take a genius to figure out that many within the professional
security community are going to strongly disagree with the ideas I have
presented thus far. Dare I say they might attack me with the ferocity of a
rabid dog? Be that as it may, they are still stuck with the undeniable fact
that, despite billions of dollars and their very best efforts, they remain
unable to prevent bored school children from circumventing their defenses or
to stop poorly written viruses from wreaking havoc with their systems! If
you are paying a bodyguard to protect you, and you keep getting an ass
whipping whenever you step outside, at some point you have got to start
asking yourself what exactly it is that you are paying for.
So what do you do when some unknown idiot like myself comes along and starts
babbling excitedly about the world not really being flat after all?
They say that one test is worth a thousand expert opinions. The first
chapter of this book is just such a test, the purpose of which, is to
confirm or deny the presence of what can only be considered glaring
vulnerabilities within the context of a secure environment. Simply stated,
we are looking for vulnerabilities that are so obvious, and their impact so
profound, it is incomprehensible they could have been overlooked by anyone
even marginally competent with the most rudimentary principals of computyer
security, and certainly not by anyone claiming to be an expert. I sincerely
hope you pass this test but I predict that you will fail miserably. You
will not fail because your operating system has a few buffer overflows
embedded in the code or because some programmer has come up with a unique
way of formatting an HTML request. You will fail because Personal Computer
Mentality has prevented you from configuring your system in a manner
consistent with the most fundamental principals of security.
Lohkee!
- Next message: roger wang: "Re: How to pass through a SSL connect by a http proxy?"
- Previous message: : "Virus Scan for website to upload file"
- Next in thread: HC: "(no subject)"
- Reply: HC: "(no subject)"
- Reply: Jeff Cochran: "(no subject)"
- Reply: bardia: "(no subject)"
- Reply: Jeff Makey: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
