Bill’s Security Blog

The recently released bug in Altiris Notification Server allowing privilege escalation echo’s a sentiments I’ve held for a long time:

• Security products, in general, are no less vulnerable to attack than your average piece of software. (Note that this product had a similar vulnerability just a few months previously…)
• Adding security products increases your install base.
• Increasing your install base increases your attack surface.

I believe big strides toward a more secure, robust computing environment can be achieved through:

• Allowing the least required access to the minimum required services
• Reducing the install base to support least access to least services

If you can’t get those simple things right, don’t bother adding security products on top.

Every additional service (software, protocol, etc) and each additional role compounds your attack surface.

Get down to basics.

Bill

How NTFS and share perms work is fragile, and easy to screw up.

Here’s a great article by Derek Melber on how they play together, and some best practices:

http://www.windowsecurity.com/articles/Share-Permissions.html

Bill

The March 15, 2008 SploitCast podcast was recorded at SchmooCon and consisted of a panel discussion including some notables in the InfoSec space: Johnny Long, Rodney Thayer, Simple Nomad, Landon Lewis, Squidly, and Matt Hillman.

Though the entire cast is a must-hear, with an extensive discussion SCADA and critical infrastructure security, the conversation turned toward practical security in a space where the boundary of the ‘network perimeter’ is rapidly vanishing.

Simple Nomad made the observation that end users don’t, and won’t, care about security.  Paraphrasing, it’s not that they are dumb, or stupid, but that they have different areas of expertise, and security may not be it.

The group agreed that security awareness is important, but it can’t be ‘the fix’.  Users will not become security experts.  Users can, however, be taught basics, such as not clicking on untrusted links in email.

At this point, Johnny Long stepped in.

He stated that awareness is good, and perhaps policy as well, but that when we really boil this security thing down, it reduces to three basic principles:

1. A server should not be a client
2. A client should not be a server
3. Peers should only connect in certain ways

He noted that when a computer changes roles, that’s when we know there’s a problem.

For example, when a laptop gets infected with bot malware and begins phoning home, it starts acting like a server, and that’s the behavior we should be looking for.

Important points, and I subscribe to this view of the network.

It doesn’t matter if the device is completely controlled by our IT team, or an iPhone connected inside our network… If it’s a client, it should be acting like a client…

Imagine the simplicity of this view.

Suppose we had the simple tools necessary to determine if our machines are abiding by their designated role, then what will we need to ensure about the device.

Do we have to ensure that the box is 100% patched?
Do we have to pay lots of cash for anti-virus, anti-phishing, anti-this and anti-that?
Do we have to make sure that the user has a 100% crack-resistant password?
Do we have to spend countless hours configuring our network to prevent unauthorized hosts?

Perhaps not.

One simple reason, it takes much less time to re-ghost a PC than it does to keep it ’secure’.

In my organization, for example, we could let the desktops and laptops run free on the Internet.

As long as we know what clients are allowed to do on the network, and what they are not allowed to do, then we are far better off.

Imagine this… Say you have all the latest updates, and anti-virus scanners and whatnot.  Well, do you know you are safe, or do you believe you are safe?

If you believe you are safe, then I’ll be happy to show you how you are wrong.  And if you know you are safe, then I’ll call you ignorant.

Why? Because security degrades over time.  Even the most secure system on earth is only secure until an attacker finds out a new way into the system.

For example, social engineering always works…  Plain and simple, it doesn’t matter how secure the system, if I convince you to reveal the appropriate information, I will own you.

Perhaps I need to ponder this a little more, but it seems logical that we can dramatically simplify our IT infrastructure if we focus on separation of duties in the hardware/software space, and then focused our security dollars on making sure that those roles were being followed.

The old conceptions of the network no longer apply in a space where the network perimeter is porous, or non-existent.  We need to change our thinking to match reality.

Bill

On June 2, CSO Magazine Online published an interview with Bruce Schneier entitled, “The Endless Broadening of Security.”

At one point, Bruce makes the followng observation about human behavior.

Making security trade-offs is fundamental to being alive. After figuring out how to eat and reproduce, the next most important thing for a species to figure out is how to avoid predators. So with security such a fundamental driver of brain development, it’s not surprising that very primitive parts of our brain control some of our basic security reflexes. The amygdala, for example, is an ancient part of the human brain that first evolved in primitive fishes. It’s what controls the fight-or-flight response: increased heart rate, increased muscle tension, sweaty palms, and so on. That part of the brain is so fast that when you see a snake, your amygdala starts working even before your conscious brain knows what you’re looking at. You can override your amygdala. That’s part of what makes you uniquely human, and it happens whenever you take a dressing-down from your boss and just listen instead of either running away or stabbing him with a spear. But it’s hard.

Over the past year or two, I’ve read much of the evolution of Bruce’s thinking on the role basic human behavior plays in the realm of security.

And I must say that I agree, for the most part. Cerebrally, it makes sense.

When I read the above quote from him, I had somewhat of an “Ah-ha” moment.

As many of you know, I’m an avid runner.

I love running. I believe that running is as basic to human nature as eating.

I believe in the greater evolutionary chain, running was critical to the success of the human species.

Over the years, I began to believe that the simple act running put me in touch with the animal that I really am.

Humans are animals, plain and simple. We have needs for food, shelter, more food, sleep, reproduction, and more food :)

Yes, I live in an amazing “shelter” and spend a great deal of time gardening, but deep down inside, I’m just an animal.

When it all comes down to it, this is my cave, my primary shelter. I stock it with food, and it’s where I want to raise my spawn (grin).

It is my belief that despite all the trappings of modern society, we really have evolved very little in the past several million years. We just “wear different clothes”.

That belief system came to me because of running…

But I never took the realization to the logical conclusions.

If all of us are just animals, then what does that mean about the way we behave collectively?

We operate out of needs. Needs to protect our food, shelter, personal security, etc.

And that’s where Bruce has been focusing.

What and how do humans behave regarding their need to feel secure?

So, where my understanding of Bruce’s thinking was pretty cerebral before, it’s now been connected to me in a more personal way.

Interesting stuff. I’ll have to spend some time today contemplating.

Fortunately, I have lots on the honey-do list. That’ll supply me ample time.

I wonder if I would be pulling weeds outside my cave 50,000 years ago…

Jocelyn doesn’t understand that excuse though, so I’m off to get my gloves.

Cheers,
Bill