About good people in IT being too good and bad guys playing better
Bugs flew in the Eniac and caused errors. Since ages bugs cause trouble in IT. Now it's time to exterminate them?
The high-tech nature of IT security in general sometimes has interesting side effects: if you don't know Johnny's "No Tech Hacking" or the tingly feeling while just rerouting other people's unencrypted packets (after ARP poisoning the gateways) you may not know what I mean. But just imagine tomorrow's administrators, using Exploit-Prevention, Anti-Virus, Anti-This, Anti-That... working like pest-exterminators. There's not one spray for all the bugs. And they never catch them all. People sometimes assume this is common practice, because if the bugs never came back, people would simply be out of work.
Bugs always survive, even in software. I personally think of this as a general problem, that has to be solved by bringing security-tests into the development circles. And not just by static code-analysis, but also by more tests. Which are too expensive - no question. But the security-problems in software behave like insects, growing exponentially over your heads within time; and getting much more expensive to solve. Ignoring bugs never solved the bug problem.
Knowing that might bring you to decisions: going the extra mile, being very good. Separate networks with dual-inline firewalls, that enforce policies, with NAT. Monitoring with IDS, DPI... and in pentesting going into the depths before really bad people do that. Finally you tend to work a lot as a pentester, and that work has to be paid. By the company which should have had security in the development.
Do you really think that any attempt to secure insecure setups, software, or systems can be effective? By firewalls - software that filters packets? Or by IDS - software that looks at packets? Or exploit-prevention - software that looks at software? What do we have, that really secures our processes? The answer is simple: nothing. Security has it's own evolution. The current state is, that attacks define our countermeasures and we're simply reacting on demand. In constant need for availability. And nevertheless what we do: as long as there's precious data, a way in and a way out there's no security. There more or less security. But nothing real.
As long as somebody really smart comes up with a concept. That hasn't happened until know. No vendor or group has anything. They all lie. Very elegantly sometimes.
- Which is no excuse for doing nothing. But to do what's necessary. And just that, according to the needs of the company, even if people there have different opinions about the needs. That's what's called consulting. Companies today often are very unexperienced with IT security. They need to get orientation. That's often exploited by back-sheeps of the industry, doing expensive Zero-day protection and other Voodoo where there're problems related with the network-infrastrcuture and Client-hardending. Avoiding work and selling the pig in a poke. The 5-minute certified pentest with Nessus and Core. Report generates on the fly. Cheap, isn't it? If Core does all the work, what's your work at all? Clicking?
The next rag-nug software needing a patch isn't far away. Maybe even developed in India, where it's cheaper. Or China, pre-owned. Outsourcing of information becomes just "risqué" - or in other words "acceptable enough". We call it "cloud-computing". THE new buzzword used for everything but never correctly.
And before people jump on their feeds and shout... management will use clouding like that. And whether the partner-company has the skills to secure the cloud or not - in the end the price is important. That's capitalism. That's the competition. And that's what we're up against sometimes. Against too cheap competitors.
Truth is when you realize that the curtain didn't block the voices
I recently read Val's new post. Another thing he mentions in particular is "partial disclosure". That's when (little known) researchers try to reach a limited amount of professional people at Black Hat, for example, without letting the rest of the world know. Of course, it's to create rumors, to get into the news, and for the money. IT security is a young industry in need for every attraction it can get. Otherwise people just tend to see security in general as a burden that's not enhancing productivity.
But can we afford not educating our colleagues? Seriously: the general level of pentesters out there is just uneducated. I don't exclude myself. We know nothing. We have no smart idea how to end the hunt for the next exploit, how to really know for sure what the bad guys are doing, or whether our integrity hasn't been compromised by people with superior skills. All we know is based on assumptions and self-confidence. One thing that conferences do, is to make us develop this confidence that we're able to secure stuff. But we aren't. We might believe in ourselves for know, while we're trying to develop the necessary technology. But to motivate this process we should know: the best attacks remain unseen and undetected.
Have fun,
wishi
Post new comment