Hello
Here I have to state that I agree 100% and categorically with Dave.
FUD - Fear Uncertainty and Doubt is a common tool used by vendors to sell
security. It is also one of the greatest threats to security today.
It makes people inured to security in the long run (i.e. cry wolf) and in the
short term results in a lot of technical solutions that generally fail to
address the issue.
NASA uses hazard and survivability models to determine risk. They do not
engineer to not fail - they just reduce the probability of an incident. What
needs to be remembered that is that 1 in a million occurrence happens all the
time in the real world. Even a 1 in a billion occurrence will happen daily
somewhere in the world. Welcome to the world of risk.
So as to the original post, how would complex software make you less risk prone?
Regards,
Craig
-----Original Message-----
From: dave kleiman [mailto:dave@davekleiman.com]
Sent: 23 February 2006 2:23
To: security-basics@securityfocus.com
Cc: Darren.Miller@defendingthenet.com; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Inline....
-----Original Message-----
From: defendingthenet [mailto:mlapidus@ccim.net]
Sent: 20 February 2006 14:35
To: security-basics@securityfocus.com
Subject: Why Easy To Use Software Is Putting You At Risk
Title
-----
Why Easy To Use Software Is Putting You At Risk
Can Easy To Use Software Also Be Secure
----------------------------
Anyone who has been working with computers for a long time
will have noticed
that mainstream operating systems and applications have
become easier to use
over the years (supposedly). Tasks that use to be complex
procedures and
required experienced professional to do can now be done at
the push of a
button. For instance, setting up an Active Directory
domain in Windows 2000
or higher can now be done by a wizard leading even the
most novice technical
person to believe they can "securely" setup the operating
environment.
Where does it claim that it is "securely" setting up AD in the wizard?
This
is actually quite far from the truth. Half the time this
procedure fails
because DNS does not configure properly or security
permissions are relaxed
because the end user cannot perform a specific function.
Sounds like you have had this problem a few times, maybe you should not use the
wizard, or attempt AD setups.
Do you understand how to "securely" setup AD, for your comments here, I would
say no.
Instead of using the "sky is falling routine" suggest how to do these things
securely instead of syaing "look how terrible this is"
If It's Easy To Develop, Is It Also Secure
--------------------------------------------------
One of the reasons why operating systems and applications
"appear" to be
easier to work with then they use to is developers have
created procedures
and reusable objects to take care of all the complex tasks
for you.
Are you referring to shared code? In case you do not know what that is, it is
code that is shared by apps for the same routines.
For instance, back in the old days when I started as a
developer using assembly
language and c/c++, I had to write pretty much all the
code myself.
Are you suggesting your code was more secure back in the "old" days, when
security was not a concern in coding?
Now everything is visually driven, with millions of lines of
code already
written for you. All you have to do is create the
framework for your
application and the development environment and compiler
adds all the other
complex stuff for you. Who wrote this other code? How can
you be sure it is
secure. Basically, you have no idea and there is no easy
way to answer this
question.
Secure Environments Don't Exist Well With Complexity
----------------------------
The reality is it may look easier on the surface but the
complexity of the
backend software can be incredible. And guess what, secure
environments do
not coexist well with complexity. This is one of the
reasons there are so
many opportunities for hackers, viruses, and malware to attack your
computers. How many bugs are in the Microsoft Operating
System? I can almost
guarantee that no one really knows for sure, not even
Microsoft developers.
However, I can tell you that there are thousands, if not
hundreds of
thousands of bugs, holes, and security weaknesses in
mainstream systems and
applications just waiting to be uncovered and maliciously
exploited.
How Reliable and Secure are Complex Systems?
----------------------------------------------------------
Let's draw a comparison between the world of software and
security with that
of the space program. Scientists at NASA have know for
years that the space
shuttle is one of the most complex systems in the world.
With miles of
wiring, incredible mechanical functions, millions of lines
of operating
system and application code, and failsafe systems to
protect failsafe
systems, and even more failsafe systems to protect other
systems. Systems
like the space shuttle need to perform consistently, cost
effectively, and
have high Mean-Time-Between-Failure(MTBF).
*All in all the space shuttle has a good record.*
One thing
it is not though
is cost effective and consistent. Every time there is a
launch different
issues crop up that cause delays. In a few circumstances,
even the most
basic components of this complex system, like "O" rings,
have sadly resulted
in a fatal outcome. Why are things like this missed? Are
they just not on
the radar screen because all the other complexities of the
system demand so
much attention? There are million different variables I'm
sure. The fact is,
NASA scientists know they need to work on developing less
complex systems to
achieve their objectives.
Ok now you have stepped out of bounds, first of all I love NASA and have the
utmost respect for them and all the astronauts who have braved the frontier.
However, the record of the shuttle is 110+ scrubbed launches. That is more than
the number of launches. You can do the math for the rest, but it does not add
up to a good record, you might have to use one of those "complex systems"
though to run calc.
So your saying a more simplistic system would create a better record, maybe
they should try fly the Kitty Hawk to the moon.
I am just going to stop here and say Hogwash.
My advice to you is stop selling fear and your opinion, and start selling
solutions to problems. Next time tell us how to fix your proposed problems.
Respectfully,
______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
www.SecurityBreachResponse.com
This same principal of reducing complexity to increase security,
performance, and decrease failures really does apply to
the world of
computers and networking. Ever time I here associates of
mine talk about
incredibly complex systems they design for clients and how
hard they were to
implement I cringe. How in the world are people suppose to
cost effectively
and reliably manage such things. In some cases it's almost
impossible. Just
ask any organization how many versions or different brands
of intrusion
detection systems they have been through. As them how many
times the have
had infections by virus and malware because of poorly
developed software or
applications. Or, if they have ever had a breach in
security because the
developer of a specific system was driven by ease of use
and inadvertently
put in place a piece of helpful code that was also helpful
to a hacker.
Can I Write A Document Without A Potential Security Problem Please
-----------------------------------------------
Just a few days ago I was thinking about something as
simple as Microsoft
Word. I use MS-Word all the time, every day in fact. Do
you know how
powerful this application really is? Microsoft Word can do
all kinds of
complex tasks like math, algorithms, graphing, trend
analysis, crazy font
and graphic effects, link to external data including
databases, and execute
web based functions.
Do you know what I use it for, to write documents. nothing
crazy or complex,
at least most of the time. Wouldn't it be interesting that
when you first
installed or configured Microsoft Word, there was an
option for installing
only a bare bones version of the core product. I mean,
really stripped down
so there was not much to it. You can do this to a degree,
but all the shared
application components are still there. Almost every
computer I have
compromised during security assessments has had MS-Word
installed on it. I
can't tell you how many times I have used this
applications ability to do
all kinds of complex tasks to compromise the system and
other systems
further. We'll leave the details of this for another
article though.
Conclusion
----------
Here's the bottom line. The more complex systems get,
typically in the name
of ease of use for end users, the more opportunity for
failure, compromise,
and infection increases. There are ways of making things
easy to use,
perform well, and provide a wide variety of function and
still decrease
complexity and maintain security. It just takes a little
longer to develop
and more thought of security. You might think that a large
part of the blame
for complex insecure software should fall on the shoulders of the
developers. But the reality is it is us, the end users and
consumers that
are partially to blame. We want software that is bigger,
faster, can do just
about everything, and we want it fast. We don't have time
to wait for it to
be developed in a secure manner, do we?
You may reprint or publish this article free of charge as
long as the
bylines are included.
Original URL (The Web version of the article)
------------
http://www.defendingthenet.com/NewsLetters/WhyEasyToUseSoft
wareIsPuttingYouA
tRisk.htm
About The Author
----------------
Darren Miller is an Information Security Consultant with
over seventeen
years experience. He has written many technology &
security articles, some
of which have been published in nationally circulated magazines &
periodicals. If you would like to contact Darren you can
e-mail him at
Darren.Miller@defendingthenet.com. If you would like to
know more about
computer security please visit us at
http://www.defendingthenet.com.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and the
case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations
including Emergency Management, Business Continuity Planning, Computer
Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
