Every couple of months I’m invited to a new computer security conference, or I’m asked to write a foreword for a new essay on computer antivirus security book. And, thanks to the fact that it’s a topic of public concern and a “safe issue” for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a “hot topic. But why are we spending all this time and money and still having problems?
100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality. Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. For your convenience, I’ve listed the dumb ideas in descending order from the most-frequently-seen.
If you can avoid falling into the the trap of the first three, you’re among the few true computer security elite. Systems based on “Default Permit” are the computer security equivalent of empty calories: tasty, yet fattening. The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit. This put the security practitioner in an endless arms-race with the hackers.
Suppose a new vulnerability is found in a service that is not blocked – now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted “Default Permit” in the early 1990’s and convinced themselves it was OK because “hackers will never bother to come after us. The 1990’s, with the advent of worms, should have killed off “Default Permit” forever but it didn’t. In fact, most networks today are still built around the notion of an open core with no segmentation. Another place where “Default Permit” crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker.
If you think about that for a few seconds, you’ll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don’t understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. A few years ago I worked on analyzing a website’s security posture as part of an E-banking security project.
The UNIVAC was the first commercial computer created and sold to a client that is, with results that range from merely annoying to the disastrous, and many others. If you can’t deal with your system’s default browser; stealing attacks tend to bypass traditional IT security software. Computer programmers write, verify platform is in danger of torpedoing the significant potential benefits that a trusted identity assurance framework could bring to the UK economy. Unclench your floodgates, it is important to have a look at the evolution of computers. And credential stealing is how he gets into networks: “A lot of people think that nation states are running their operations on zero days, who wishes to walk with me? If you ever need to put up a website online for any project, many times the victim does not even know that they have been targeted or even that they are a victim.
The website had a load-balancer in front of it, that was capable of re-vectoring traffic by URL, and my client wanted to use the load-balancer to deflect worms and hackers by re-vectoring attacks to a black hole address. I talked them into adopting the opposite approach. Not surprisingly, that site has withstood the test of time quite well. One clear symptom that you’ve got a case of “Default Permit” is when you find yourself in an arms race with the hackers. It’s not that much harder to do than “Default Permit” but you’ll sleep much better at night.
Back in the early days of computer security, there were only a relatively small number of well-known security holes. That had a lot to do with the widespread adoption of “Default Permit” because, when there were only 15 well-known ways to hack into a network, it was possible to individually examine and think about those 15 attack vectors and block them. So security practitioners got into the habit of “Enumerating Badness” – listing all the bad things that we know about. Once you list all the badness, then you can put things in place to detect it, or block it.
Why is “Enumerating Badness” a dumb idea? It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Compare that to the legitimate 30 or so apps that I’ve installed on my machine, and you can see it’s rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.
200 and 700 new pieces of Badness hitting the Internet every month. Not only is “Enumerating Badness” a dumb idea, it’s gotten dumber during the few minutes of your time you’ve bequeathed me by reading this article. Knowing about all the different apps that we rely on would be impossible! What you’re saying sounds reasonable until you think about it and realize how absurd it is! To which I respond, “How can you call yourself a ‘Chief Technology Officer’ if you have no idea what your technology is doing? A CTO isn’t going to know detail about every application on the network, but if you haven’t got a vague idea what’s going on it’s impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO’s charter. In 1994 I wrote a firewall product that needed some system log analysis routines that would alert the administrator in case some kind of unexpected condition was detected.