Sunday, February 01, 2009

Humans, Not Computers, Are Intrusion Tolerant

Several years ago I mentioned the human firewall project as an example of a security awareness-centric defensive measure. I thought it ironic that the project was dead by the time I looked into it.

On a similar note, I was considering the idea of intrusion tolerance recently, loosely defined as having a system continue to function properly despite being compromised. A pioneer in the field describes the concept thus:

Classical security-related work has on the other hand privileged, with few exceptions, intrusion prevention... [With intrusion tolerance, i]nstead of trying to prevent every single intrusion, these are allowed, but tolerated: the system triggers mechanisms that prevent the intrusion from generating a system security failure.

It occurred to me recently that, in one sense, we have already fielded intrusion tolerant systems. Any computer operated, owned, or managed by a person who doesn't care about its integrity is an intrusion tolerant system.

People tolerate the intrusion for various reasons, such as:

  1. "I don't think any threats are attacking me."

  2. "I don't see my system or information being disclosed / degraded / denied."

  3. "I don't have anything valuable on my system."


All of those are false, but intrusion tolerant systems (meaning the human plus the hardware and software) tolerate intrusions. What's worse is that modern threats understand these parameters and seek to work within them, rather than do something stupid like open and close a CD-ROM tray or waste bandwidth, tipping off the human by interfering with the operation of the system.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

5 comments:

Anonymous said...

I read a related white paper a couple of weeks ago named "human being firewall" by Muhammad El Harmeel on Sans reading room. It's a great one.

Blake said...

You see intrusion tolerance extremely frequently. Users will tolerate minor spyware issues, as long as their overall web experience hasn't come to a complete standstill. Only when they can no longer work will a help desk complaint finally come through. If you run an IT department that has discouraged an open relationship with the user base you will see a higher percentage of users tolerating such issues. Since going to the IT department is actually a more negative experience. You want your users to feel comfortable enough with your department to be able to call and as about a suspicious email they may have received.

jbmoore said...

Most ISPs are intrusion tolerant systems. I have a honeypot running at home and it exhausted its storage requirements due to logging brute force FTP attacks. One of the attackers appeared to be a compromised system and the other was from China. I have no idea whether the ISP's firewall or IDS logged these attacks, but no filtering would ensue in any event.

A more pernicious kind of intrusion tolerance is when ISPs allow malicious parties to host hostile systems on their networks, paying for the hosts with stolen credit cards. Subscriber numbers and revenues are higher than they would be otherwise for the ISP and the criminals have a temporary base of operation in that region or country before the service is terminated when the credit card issuer halts further payments. It's a win-win for both parties in the short run.

As far as DLP, I'm guessing that most of the products out there are inadequate, capable of "catching stupid" as you phrased it. If it were otherwise, we wouldn't be hearing on the news all of the problems the U.S. Armed Services have with data leakage on their networks. If the military can't stop data leakage of military documents and secrets, what hope do private security professionals have with smaller budgets, poor tools, clueless executives, and poor policies that protect said executives from their data leakage blunders and punish the wage slaves for theirs?

Richard Bejtlich said...

Blake, good comment!

jbmoore, GREAT comment. I didn't even consider ISPs.

Van said...

Interesting article. I think it all comes down to value and cost assessment. In other words, what is the value of the data or systems that I am protecting, and what will it cost me if they are not adequately protected (i.e. data or systems are compromised).

This type of intrusion tolerance can also be seen in commercial software. Software vendors know that no matter what they do their software WILL be pirated. This is tolerated by software vendors for a few reasons.

1. The people who pirate software probably would never become paying customers anyway. In other words, you didn't lose a sale as it was never yours to begin with.

2. The cost to absolutely protect software from piracy outweighs the financial benefits.

So, what software vendors do is make it "hard" for their software to be pirated using license keys, license validation and other methods but tolerate the fact that some piracy will occur.