The InfoSec Blog

System Integrity: Without Integrity you don’t have Security

Related Posts
Recent Posts
Archives
Technorati
Subscribe

Enter your email address:

Delivered by FeedBurner

Search

infosecblog Web
emergence SI Site
Categories
Advertisments
June 28th, 2011

A large scale failure of information security

By Anton Aylward

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec’s nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? “One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish,” said the SANS Technology Institute’s Johannes B.
Ullrich in a blog post. “I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security.”

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I’m reminded of the IRA’s statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may – will? – introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS “certified” sites get hacked, and more, *DOES* at least _demonstrate_ “a large scale failure of information security“.

Posted in Crime, Failures, Risk | No Comments
June 21st, 2011

In praise of OSSTMM

By Anton Aylward

In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manualhttp://www.isecom.org/osstmm/

There’s an interesting segue to this at
https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html

Skip over his ranting about the definition of “hackers”

This is the meat:

Wewrote the OSSTMM 3 to address these things. We knew that penetration

OSSTMM Logo

OSSTMM Logo

testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn’t practical for some because it doesn’t
match the commercial industry security of today. But that’s because the
security model today is crazy! And you don’t test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it’s also perpetuating security through patchity, a process
that’s so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn’t scale at all with
complexity or size.

I’ve been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I’m sure I’ve upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.

I’ve seen to many “pen testers’ and demos of pen testing that are just plain … STUPID.  Unprofessional, unreasonable and pandering to the ignorance of managers.

In the long run the “drama-response” of the classical pen-test approach is unproductive. It teaches management the wrong thing – to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

And worse, it

  • shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  • has no guarantees about what collateral damage the outsider had to do to gain root
  • says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  • indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!

“Crazy” is a good description of that approach. Read the rest of this entry »

Posted in Policy, Rants and Raves, Risk, Security, Standards | 1 Comment
|

The InfoSec Blog is powered by WordPress | Using Tiga theme with a bit of Ozh Feed Shark