Rocky DeStefano had a great post today on FudSec, Liberate Yourself: Change The Game To Suit Your Needs, which you should read if you haven’t already. It nicely highlights many of the issues going on in the industry today. However, I just can’t agree with all of his assertions. In particular, he had two statements that really bothered me.
Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk. Risk to the mission, risk to the business not the risk to an asset. We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary.
In a perfect, security and risk oriented world, I would agree with this 100%. The problem is, that from the business perspective, what they have in place is usually sufficient to do what they need to do safely. I’m a big fan of using risk, because it’s the language that the business uses, but this isn’t really a compliance versus security vs risk issue. What needs to be communicated more effectively is what compliance to the letter of the law does and doesn’t get you. Where we have failed as practitioners is in making this distinction and allowing vendor and marketing BS to convince business folks that because they are compliant they are of course secure. I can’t count the number of times I’ve had folks tell me that they thought being compliant with whatever regulation meant they were secure. Why? Because that’s the bill of sale they were sold. And until we can change this basic perception the rest seems irrelevant. Don’t blame the security practitioners; most of the ones I know clearly express the difference between compliance and security, but it often falls on deaf ears.
But what really got my goat was this next section:
As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives? We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business. We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?
I don’t know who Rocky has been talking to, but I don’t know a single security practitioner who thinks that compliance was the way to go. What I’ve seen are two general schools of thought. One is to rant and rave that everyone is doing it wrong and that compliance doesn’t equal security, but then engages in the compliance efforts because they have no choice. The other school is to be pragmatic and to accept that compliance is here to stay, and do our best within the existing framework. It’s not like we as an industry ‘let’ compliance happen. Even the small group of folks who have managed to communicate well with the business, be proactive, and build a mature program still have to deal with compliance. As for Rocky’s “buildng codes” and “point in time” snapshots, for a huge segment of the business world, this is a massive step up from what they had before.
But to answer Rocky’s question, the failure here is that we told the business, repeatedly, that if they installed this one silver bullet (firewalls, AV, IDS, and let’s not forget PKI) they’d be secure. And you know what? They believed us, every single time, they shelled out the bucks and we came back for more, like Bullwinkle the Moose “This time for sure!” We told them the sky was going to fall and it didn’t. We FUDed our way around the business, we were arrogant and we were wrong. This wasn’t about selling our souls to compliance. It was about getting our asses handed to us because we were too busy promoting “the right way to do things” and telling the business no rather then trying to enable them to achieve their goals.
Want an example? Show me any reasonable evidence that changing all your users’ passwords every 90 days reduces your risk of being exploited. No wonder they don’t always listen to us.
Reader interactions
39 Replies to “Changing The Game?”
Fascinating discussion.
There are three points that I think are key here.
First, LonerVamp’s point confidence that the password provides security is not a static value, but decays over time. I think that is a useful restatement of the question, rephrasing it from a choice between two arbitrary standards to a question that can be studied with data. (of course isn’t that the core of Mr. Mortman’s point?).
Second, password cracking may be more relevant to elevation of privilege than to acquisition of privilege. Slightly different threat model.
Third, and most important, analysis of security standards relies on a coherent threat and risk model. Except in trivial cases, you can’t exploit hashes unless you already have access. But are there ways to get hashes? Interception of remote workers & VPN? PWDump from a compromised machine? Fundamentally we’re analyzing defense in depth – where no protection stands alone, but is backed up by other protections.
I know that if I were the person responsible for accepting risk that I’d be more comfortable with a policy attempted to exploit passwords, and forced a password change on any password that was cracked in less than a week. (Actually, I’d be most comfortable if they ran the password cracking long term, spotted the inflection points in the curve and forced a change on anything under the curve). That is going to cull out the easy passwords and force the attacker to spend time (his opportunity cost).
Without real data to back the various hypothesis, the discussion will not terminate. And that is the reason for compliance. The people involved in this discussion, if given an infinite funding line, could acquire the data, identify the risk drivers, build a model and come up with a standard – to achieve risk X, change passwords every Y hours. Six months later we’d have to acquire a new infinite funding line and repeat the study to capture changes in practice and attack techniques. Since most of us don’t have an infinite funding line available every six months, we pick an arbitrary number.
Which takes us over to the discussion at Rybolev’s blog.
I think it is pretty clear that password changes reduce risk by increasing the cost of attack, albeit slightly. I am not convinced, however, that it is worth the effort. Full analysis can be found here: http://spiresecurity.com/?p=1093.
Pete
@mortman. If we can agree that risk can be defined as the probable frequency and magnitude of loss, then I think we can find numerous examples of how changing a password on a frequent basis can impact the
Greetings & Salutations,
SECURITY –I::::::::::::::>
It’s a process, not a product.
It’s a marathon, not a sprint.
It’s a war of attrition to some degree.
My computer has enough resources (think of it as a piece of real estate) to treat parts of it as Embassies.
If I give you a login on my OpenBSD 4.6 laptop, and make some further adjustments to suit your needs, you basically get a shell that can help you stay turtled come hell or high water.
I can and have managed (systems admin) a fleet of mobile & workstation machines before, and I have only gotten better at it since then.
So. That is how negotiations and diplomacy start. (Or call it Duplomacy, that’s always funny.)
Agent Provacateur, I’m talking to you, too. And I’m talking to others as well. So hold your horses and think about how many times YOU would prefer me to replace my hard drive, because each time, it costs me like $50 and 4 hours of the most fun times I’ve ever had.
Seriously. Reinstalling on my compy is like going to a hooker. Even if I have something terminal lurking in my BIOS, not everyone has the key to that particular minerva.
So change your passwords, I’m starting to lose patience, I am **not** here to swipe your stuff or stalk you, I am just here to pick up my mail and get more coffee.
Thanks,
– Jack Merlot
I think we
I’m not sure I fully agree with you here, David, though in some cases it was the beginning of a paragraph where I took issue, and the end of the same paragraph where I found agreement. A couple points of contention…
You said: “Where we have failed as practitioners is in making this distinction and allowing vendor and marketing BS to convince business folks that because they are compliant they are of course secure.”
People believe what they want to believe, typically based on what most reinforces their pre-existing opinions. To make matters worse, organizations typically turn a deaf ear to their own people in favor of those outside their organization, as irrational and insane as that may be. They wantonly ignore those who see the organization for what it is in order to hear fairy tales from those who see the organization they way they’d like it to be (that is, adorned with their products, of course).
I also would not say that we practitioners are “allowing” these faulty perceptions to exist. We’re doing what we can to fight them, but we’re not being successful. Why? If I were to guess, it’s because we don’t have the resources necessary to leverage the same techniques marketeers use in pushing their own agenda. On a large scale we call this Congress and Lobbyists. 😉
You said: “…the failure here is that we told the business, repeatedly, that if they installed this one silver bullet (firewalls, AV, IDS, and let’s not forget PKI) they’d be secure.”
What rational, reliable, mature security professional in their right mind is selling point solutions as “silver bullets” these days? Is this really still a problem, at least from the practitioner perspective (putting aside vendor marketing)? This is a patently unfair accusation. Unless, of course, you’re talking about analysts and how they position and promote technology solutions instead of promoting a balanced approach. The same goes for FUD (unless you’re Anton, apparently)…
As for your password example, what’s your point? Here again is another compliance-driven requirement that has been foisted upon us. Where did it originate? In somebody’s confused notion of how to address a specific threat (a notion that makes auditors happy, but with no basis in sound reasoning or measurement). However, don’t blame this on current practitioners. It’s lore, now; part of the mediocrity that is best practices. I think this rather reinforces the point that we really do need to throw out everything we’re doing and start with fresh eyes and ears.
I think we
Anyway, back to the issue and not a small example! 🙂
I like to think of password changing as an insurance. It helps prevent the lingering knowledge of passwords to bite you in the ass 6 months or 6 years into the future. That would include people who quit and take shared passwords with them, share them with others (“please check my email!”), get them snarfed when they log into a VPN or email from an untrusted network or system, get them snarfed by malicious or curious employees who crack their local SAM, or simply have them leak out from a lost/stolen laptop…the weight of which all depends on how important a target you may be. And, as mentioned, it breaks the trend of re-using the same password for everything, in which case you’re only as strong as your weakest use (that non-SSL online forum with the 2 year-old forum software and non-encrypted database run by kids with no ethics…).
It all helps demonstrate that you can be confident that every 90 days, passwords are only known to those who set them. Of course, then your timer resets and over time confidence reduces, until you repeat the whole process again. And if you don’t change them, you fall further down the slope of being able to prove someone did something, i.e. non-repudiation and, what some people will argue is highly important, attribution. 🙂
And while pen testers will do crack runs every time, attackers still don’t necessarily need to unless you’re targeting someone and latching onto their laptop while they’re at the hotel bar. There are still other ways to get things, but cracking passwords certainly gets you pretty high value when you do bother. At least that window might only be 90 days…?
It’s a benefit that the security measure is easily understood, demonstrated, and executed by non-technical managers!
Great debate, gents! Here’s my commentary: http://newschoolsecurity.com/2009/12/can-risk-management-guide-policy-regarding-password-change-frequency/