Security Professionals: Yes we appear vulnerable but that attack vector will never happen

Security Professionals: Yes, we appear vulnerable but that attack vector will never happen.

In loom of recent internet attacks many institutions have started scrambling in attempt to “strengthen” their security stance. I agree that auditing our systems and networks for potential flaws seems appropriate at this time to prevent getting “caught with our pants down”. Incidentally, I have recently witnessed the introduction of silly and at times ineffective security adjustments. Many of these new procedures, rules, and requirements do not make us more secure and worse instill a false sense of security.

I have previously addressed the fallacy of absolute security. No system is perfect. A successful security model accomplishes fortitude by implementing layers like an onion. Through the use of security layers we can significantly hamper attack vectors and create a safer complex.

When analyzing a potential attack vector we must first determine our current location in the security layers. This step serves two purposes:

  • to prevent wasting time and energy on vulnerabilities that don’t matter at that point in our matrix.
  • to prevent causing outages and unneeded administrator and customer heartache.

If a vulnerability requires root or elevated privileges to occur, don’t waste your time resolving it. If the attacker already has root, you have bigger problems on your hands.

Some real life examples:

  1. Firewall denying a large range of IP addresses (like entire countries). This truly does not increase security, it just creates headaches for users. An attacker could just proxy to an open range (like a VPS based in a more trusted zone) and gain access from there. Also if you decide to ignore this advice and create blanket IP range deny rules, DON’T also block services intended to be internet-facing. For example, don’t block your Internet-facing DNS server if it is authoritative for public domains. This will cause countless intermittent issues and will be a nightmare to diagnose.

  2. Weekly Scanning for Windows viruses on network shares or data at rest. This hammers the servers for no reason. If all the desktops run antivirus then the file was already scanned when it was downloaded. That same file will be scanned again when retrieved on the share. If you want the warm and fuzzys of virus scanning network file shares, do it once a year. These scans waste time and resources. I feel even more outraged when asked to virus scan network shares hosted on UNIX servers or NAS.

I speculate that most of these arbitrary ideas come about because the people in charge make uninformed decisions out of fear without first consulting the appropriate subject matter experts.

Unfortunately, once a security mandate occurs it seems difficult to expunge. People are just not willing to put their neck on the chopping block to banish a legacy or silly mandates; So we end up living with nonsensical rules and procedures.

http://xkcd.com/936/
http://xkcd.com/936/

7 thoughts on “Security Professionals: Yes we appear vulnerable but that attack vector will never happen

  1. I agree with you and think the problem will worsen, as security is increasingly politicized, politicians who know nothing about the field will begin to use their security ideas as political flare. I believe we are going to enter a new era of computer security hilarity because of this.

  2. A realization must be made: The fact that as security increases, functionality decreases. A piece of dirt has no security flaws.

  3. “One Thousand Steps Begins With One, but a Jack of All Trades is a Master of None”

    Huh? Did you paste together two random quotes?

  4. While I agree with your general argument, I have a lot of concerns for your second example. Which by the way, was exactly what I was telling people three years ago. Now with experience, I can give you some advice:

    – Yes, if you scan shared folders on Unix boxes you’re not preventing any infection spreading from one Unix or NAS box to the next, because there are close to none for them. However, what about files stored there infected with Windows malware that are being accessed by Windows boxes? AV scan of NAS/Unix shares can prevent those servers acting as infection vectors.

    – Oh, yes, you’re redundantly doing the AV on both the servers and the client workstations, so why you cannot remove one of them? This is a good question, but again you have not give it enough thought.

    Look, if you can absolutely-positively-without-any-doubt be sure that no one is ever going to plug into your network a machine that does not have AV up to date (or is not sensible to such attacks, such as a Unix box) then you can remove the AV engine on the file server and leave it to the workstation to do the virus scan.

    Somehow I think that the technical measures to prevent someone to plug into your network a non sanctioned equipment are going to be way more costly and difficult to implement. And no, just banning that as company policy is not going to work, people regularly bring equipment from home and plug it into the Ethernet port just to see what happens.

    In fact, if I had to remove one of the two AV engines, it would be the one on the workstations. Workstations can be easily replaced and if they go down affect only a single person. Yes, there can be critical data stored on an individual desktop or laptop, but logic says that it should be a minor impact compared to losing a whole file server.

    So keep hammering your server with weekly, no, make it daily, AV scans. File servers are there to be hammered, after all they are designed for… serving files. And consider AV scanning your file server just another of those security layers you correctly mention as the foundation of good security.

    However, using such a bad example does not invalidate your argument. Yes, there are more than a fair share of completely useless security policies out there, and people prefer to keep them rather than taking the risk of thinking by themselves. I agree fully with that. Just as your bad example shows, if you don’t think enough about them you may find yourself in an awkward position if something bad happens.

    Or better yet, use a sensible security professional. Which I am not (security professional, I mean)

  5. Major reason we often do anything someone thinks up is because no one in security wants to put their neck on the line with senior management by saying something is a waste of time and effort on the remote chance that something actually happens. They know their butt is on the line.

  6. A lot of what you complain about is “security theater.” That is, some executive mandates that something be done entirely so they can go to upper management and say that something has been done.

    Effectiveness is not even part of the equation.

Leave a Reply

Your email address will not be published. Required fields are marked *