Reading yet another comment on yet another blog about “what good is ABC technology because I can subvert the process” or “we should not use XYZ technology because it does not stop the threats” … I feel a rant coming on. I get seriously annoyed when I hear these blanket statements about how some technologies are no good because they can be subverted. I appreciate zeal in researchers, but am shocked by people’s myopia in applied settings. Seriously, is there any technology that cannot be compromised?
I got a chance to chat with an old friend on Friday and he reminded me of a basic security tenet … most security precautions are nothing more than ‘speed bumps’. They are not fool-proof, not absolute in the security that they offer, and do not stand unto themselves without support. What they do is slow attackers down, make it more difficult and expensive in time, money, and processing power to achieve their goals. While I may not be able to brute force and already encrypted file, I can subvert most encryption systems, especially if I can gain access to the host. Can I get by your firewall? Yes. Can I get spam through your email filter? Absolutely. Can I find holes in your WAF policy set? Yep. Write malware that goes undetected, escalate user privileges, confuse your NAC, poison your logs, evade IDS, compromise your browser? Yep. But I cannot do all of these things at the same time. Some will slow me down while others detect what I am doing. With enough time and attention there are very few security products or solutions that would not succumb to attack under the right set of circumstances, but not all of them at one time. We buy anti-spam, even if it is not 100% effective, because it makes the problem set much smaller. We try not to click email links and visit suspect web sites because we know our browsing sessions are completely at risk. When we have solid host security to support encryption systems, we drop the odds of system compromise dramatically.
If you have ever heard me speak on security topics, you will have heard a line that I throw into almost every presentation: embrace insecurity! If you go about selecting security technologies thinking that they will protect you from all threats under all circumstances, you have already failed. Know that all your security measures are insecure to some degree. Admit it. Accept it. Understand it. Then account for it. One of the primary points Rich and I were trying to make in our Web Application Security paper was that there are several ways to address most issues. And it’s like fitting pieces of a puzzle together to get reasonable security against your risks in a cost effective manner. What technologies and process changes you select depend upon the threats you need to address, so adapt your plans such that you cover for these weaknesses.
Reader interactions
3 Replies to “Security Speed-bumps”
[…] Adrian: The Know Your Enemy: Containing Conficker was a fascinating paper. […]
[…] Comment of the Week: Dre on Security Speedbumps: No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and […]
No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant—you just set yourself up for massive failure.
Think of it this way: when I’m not at home, my alarm-relay service has my house closed down and will alarm on everything, especially and including a fire. But sometimes I’m at home. The windows and the room with the safe+motion-detector are in separate zones as the doors (and the safe is in the middle of the house, not laying against a wall to the outside). Hell, the backdoor might be in a different zone as the front door. The alarm company should still alarm when the front or back door opens in some cases, but more likely, they should alarm when the someone is in the safe room, or when the windows break. Unless I forget to turn off the windows zone and open the windows accidentally.
Also—they can call me before they send in the fire or police department and I can manually clear the zone. I may also be able to clear the zone before they call if there is a slight delay from my panel to the relay-service.
The goal isn’t security to avoid risk—the goal is auditability to contain risk. It’s to know WHO, WHAT, WHEN, WHERE, WHY someone or some thing has breached a layer.
They’re not “speed bumps”, they’re “tripwires”. I am going to have to categorically disagree with you about embracing insecurity. Think different; evolve or die.
Also: there is “perfect security”—just ask Pete Herzog.