Thursday, March 02, 2006

Gartner vs Jericho Forum

Today at SC Magazine I read Gartner's criticism of the latest version of NIST Publication 800-40: Creating a Patch and Vulnerability Management Program (.pdf). Gartner says:

"Security products such as network- and host-based intrusion prevention systems, network and host-based firewalls, and networking devices such as routers can be configured to prevent an attack as a first step prior to deploying the patch, and as an effective response to a critical vulnerability with exploit code in the wild."

I agree with this. Why? It's an expression of defense-in-depth.

To see an example of a group abandoning this security practice, let's hear from the folks at the Jericho Forum. I wrote about them last year. As I said in that post, "individual hosts should be able to defend themselves." However, consider the following description of actions taken by Jericho Forum member BP:

Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cybercriminals.

Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.

Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office.


Are they serious? Is this some sort of Darwin-esque test? If your laptop is tough enough to survive on its own, you'll love working for BP. If your laptop isn't tough enough, well... we can't kill your laptop, so you'll just provide more headaches for the help desk.

I wonder if BP has removed any applications proxies they might have employed? If yes, I guess it's back to monitoring traffic the hard way using stand-alone sensors.

How many engineering projects are built such that they consist of one element, and if that element fails, the entire project fails completely?

5 comments:

Anonymous said...

I have long thought that those jokers from Jericho are not serious, but it looks like they are :-) OMG, such stupidity!

Dr Anton Chuvakin said...

Somebody please report them to http://www.stupidsecurity.com/

Anonymous said...

BP appears to be missing at least part of the group's point. This quote is from one of the Jericho Group's board members during the Black Hat Briefings in Vegas (2004):

"While deperimeterization doesn't mean discarding the firewall, it does mean accepting that most exploits will transit the perimeter and implementing some web services. 'Deperimeterization is a set of solutions ...It is defense in depth, it has to be open, interoperable, and OS agnostic,' Simmonds said." [Paul Simmonds, CISO, ICI]

http://www.scmagazine.com/uk/news/article/448576/jericho-forum-brings-its-deperimeterization-concept-us/
http://www.opengroup.org/projects/jericho/uploads/40/8740/faq_bo.pdf (Question 4 - "How is the Jericho Forum managed?")

Richard Bejtlich said...

That's hilarious, especially since the story you linked contains this quote"

"Deperimeterization is a set of solutions ...It is defense in depth, it has to be open, interoperable, and OS agnostic," Simmonds said.

BP has apparently discarded defense-in-depth.

Anonymous said...

You should not get rid of the perimeter. I understand the need to not rely on it completely, but you need a safety zone. What the Jericho group is proposing is that we remove our doors and windows of our homes and lock our jewelry boxes, safes, file cabinets, etc. I prefer that we do harden the OS AND add additional layers of defense.


Maybe they should go IPv6, get rid of NAT and put up a firewall. That will let the BP users think they are "out there" on the net, but not really.

PS. I really do think NAT is bad and can't wait to get rid of it (when IPv6 is deployed).

I know, kind of random today.