tag:blogger.com,1999:blog-4088979.post8900741083523764628..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Vulnerabilities and Exploits Are MindlessRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4088979.post-55361528445194274242008-11-03T11:35:00.000-05:002008-11-03T11:35:00.000-05:00I'm wondering if a graph would be useful to illust...I'm wondering if a graph would be useful to illustrate this topic.<BR/>(1)<BR/>vertical scale: maturity of security stance<BR/>horizontal scale: interest in threats<BR/><BR/>As an organization's security maturity increases, they can become more interested in threats over chasing the vulnerabilities.<BR/><BR/>(2)<BR/>vertical scale: position in organization<BR/>horizontal scale: interest in threats<BR/><BR/>As one's position in an organization moves up the ladder, they likely become more interested in the strategic concerns, such as threats.<BR/><BR/>Of course, I wouldn't consider this very universal. I'm sure there are very high leaders in an organization who simply never will worry specifically about cybersecurity threats. And if it doesn't happen up top, then I bet it doesn't have much power lower in the org. Admins and middle managers may take threats into account when designing systems and processes, but other than taking a defensive approach, wouldn't be able to do much else in regards to threats; certainly nothing offensive.<BR/><BR/>(3)<BR/>I think you have great points, but I think as others mentioned above, it is a blend of thinking about vulns and threats that results in a solid security stance.<BR/><BR/>(4)<BR/>Lastly, I think reacting to and tracking vulns gives more feedback than focusing on threats. If I have a list of vulns to address, I can mark them off as done or tracked. But if I protect my organization from threat type A, will I ever know that I was successful? It seems like a much more intangible measure. Kinda like a police department comparing # of criminal arrests to # of prevented crimes. This might be why, ultimately, law enforcement is very reactive; it doesn't try to prevent [all] crime so much as deter it and catch those who do it.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35427273951382229222008-10-31T08:10:00.000-04:002008-10-31T08:10:00.000-04:00Richard,A couple of things...Once your security pr...Richard,<BR/><BR/>A couple of things...<BR/><BR/><I>Once your security program has matured to the point...</I><BR/><BR/>IMHO, this is key. As a consultant, many of the organizations I deal with are in crisis-mode when we first meet, for the very reason that their security program hasn't matured, or as is often they case, they simply don't have one to speak of.<BR/><BR/>Djb referenced Chris Novak's comment (above), with respect to, "<I>...demonstrated by the fact that 63 per cent of businesses are typically taking months rather than days to discover data leaks.</I>"<BR/><BR/>How does this happen? A solid infosec program, including a CSIRP and response team, does not generate revenue nor add to the bottom line in a demonstrable manner, and therefore is not a priority. That program needs to start with a solid assessment of where data rests, it's state at rest as well as in transit, and a reduction of the overall attack surface.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-3567258347494438612008-10-30T12:11:00.000-04:002008-10-30T12:11:00.000-04:00I completely agree with this approach to manage th...I completely agree with this approach to manage the security, but don´t you think that standards like PCI-DSS just focus on the opposite? They are almost based on Vulnerability scans and procedures for continuous monitoring (based on known signatures, exploits, etc). What is you thought about this subject?<BR/><BR/>Thanks in advance!<BR/>MarcoMarcohttps://www.blogger.com/profile/01828351991011297422noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-16627385790359761652008-10-29T20:44:00.000-04:002008-10-29T20:44:00.000-04:00I read the previous post a little differently. See...I read the <A HREF="http://taosecurity.blogspot.com/2008/10/unify-against-threats.html" REL="nofollow">previous</A> post a little differently. Seems like focusing on threats rather than vulnerabilities also relates to implementing <A HREF="http://taosecurity.blogspot.com/2008/06/verizon-study-continues-to-demolish.html" REL="nofollow">general countermeasures</A> (rather than specific). It seems to me that technology and it's implementations are in constant flux, but basic security principles don't change so much. Businesspeople have to evaluate many different risks and have many different priorities. I read your previous post as a problem relating technology details - or specific vulnerabilities - to the wider concerns of the business. So instead of relating technical concerns, you should frame issues in more general terms that decision-makers can understand. Meaning they can relate to the threat of a natural disaster rather than, say, the details of MS08-067 on their network. Hope I didn't misunderstand there, I just got a few different things out of your posts.<BR/><BR/>I think you've written before that people like to focus on specific technologies, or specific vulnerabilities. Maybe because they can be easily measured and controlled, or tailored to an "elevator speeech", or maybe security is still a maturing field. Maybe it has more to do with selling a service or product, or delivering an easily-communicated result. My "takeaway" has been that such thinking takes away from a good security posture. I'm also getting the idea that security is the concern of the whole business, and touches all areas.<BR/><BR/>- Francoiszhttps://www.blogger.com/profile/08294387006606105378noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-57262042432198680432008-10-29T15:07:00.000-04:002008-10-29T15:07:00.000-04:00Just a note on anti-forensics vs counter-forensics...Just a note on <A HREF="http://taosecurity.blogspot.com/2007/09/comment-on-netwitness-article.html?showComment=1189525620000" REL="nofollow">anti-forensics vs counter-forensics</A>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21734857075696608892008-10-29T12:37:00.000-04:002008-10-29T12:37:00.000-04:00You hit the nail on the head.Read http://www.secur...You hit the nail on the head.<BR/><BR/>Read http://www.securecomputing.net.au/News/126871,hackers-attack-forensics-tools.aspx<BR/><BR/>Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.<BR/>Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.<BR/><BR/>Christopher Novak, Principal, Verizon Business, said: “We're increasingly seeing hackers not only attempt to avoid detection, but actually attack forensic investigators. <BR/>For example, there are several toolkits out there that actively defeat forensics tools by crashing the system when recognised tools are booted. Anti-forensics techniques are a clear and present danger.”<BR/><BR/>Overall, anti-forensics techniques such as wiping of data have become a factor in 88 per cent of cases handled by Verizon Business. Additionally, the techniques are becoming more successful, according to Novak, demonstrated by the fact that 63 per cent of businesses are typically taking months rather than days to discover data leaks.<BR/><BR/>“Investigations are taking longer, due to techniques ranging from simple wiping of data to corrupting altering or obfuscating log files. We're also seeing increasing interest in and use of encryption and steganography to hide attack tools and secure stolen data from other hackers”, said Novak in his presentation 'Cyber CSI: How Criminals Manipulate Anti-Forensics to Foil the Crime Scene'.<BR/><BR/>However, Novak was keen to point out that the last year has seen a shift from externalised threats to internal issues due to increased security and awareness. “We often find now that it's a businesses partners or third parties that are the source of problems”, he said.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36085958613954191562008-10-29T09:16:00.000-04:002008-10-29T09:16:00.000-04:00Richard, I think it might help to simplify the arg...Richard, I think it might help to simplify the argument a bit.<BR/><BR/>If you're a left-handed soup sandwich, then the focus should be on vulnerabilities because the likelihood that you'll be compromised by an advanced attack is low.<BR/><BR/>If your vulnerability management, i.e. KNOWN vulnerability management, is mature then it's better to focus on the actors capable of launching unknown attacks. At that point it becomes worth it to ask, "Who wants to hurt me? Who can benefit from stealing my data?" Etc.<BR/><BR/>But having this conversation when you lack the basics is like scooping water out of a boat that's at the bottom of the ocean. <BR/><BR/>So, yes, there is something to be said for "fix the vulnerability and stop worrying about where a potential exploit might come from", but this mentality ignores the fact that the most dangerous threats are likely attacking vulnerabilities that you aren't yet aware of. As such it's more effective to think about what they might be after, and about defense-in-depth, than to focus on patching known issues.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66831453834058052292008-10-29T09:14:00.000-04:002008-10-29T09:14:00.000-04:00I think its a mix. Threats, vulns, countermeasures...I think its a mix. Threats, vulns, countermeasures and asset centricity all play a role. Our job as security pros is to figure out where we get the most cost effective solutions for our customer - the business.<BR/><BR/>You are right to look at these as separate concerns, each concern yields totally different workstreams, projects and value.<BR/><BR/>In the past I have argued that Infosec is too focused on Threats and not enough on vulns. People like threats because it is exciting and vulns are boring, but now we see that to just give one example, almost every F500 publishes their entire back end over MQ Series with no access control at all.<BR/><BR/>I would also add that asset focus is important. If you think about, assets are the one single advantage you have over most adversaries. They are likely to know far more about threats, vulns and countermeasures than a corporate info sec person does. The one thing that enterprise is likely to know more about is assets. So I like starting with assets before I preordain the next level of centricity.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30518998085893091812008-10-29T03:42:00.000-04:002008-10-29T03:42:00.000-04:00Use Cases, I thought is a pretty standard way to a...Use Cases, I thought is a pretty standard way to approach problems these days.<BR/>It helps immensely to understand the users of the system while solving problems.<BR/>Is it done differently in the vulnerability-world?Naveenhttps://www.blogger.com/profile/01420203425223055811noreply@blogger.com