[2336] in WWW Security List Archive
Re: Need a Security Consultant
daemon@ATHENA.MIT.EDU (Frank Willoughby)
Sat Jul 6 20:09:39 1996
Date: Sat, 6 Jul 96 17:03:13 -0400
To: www-security@ns2.rutgers.edu
From: Frank Willoughby <frankw@in.net>
Cc: chris.liljenstolpe@ssds.com
Errors-To: owner-www-security@ns2.rutgers.edu
At 04:45 PM 7/6/96 GMT, you wrote:
Chris,
Thanks for your mail. Although your mail seems to imply that we
disagree, when it comes down to brass tacks, we really do agree.
>Greetings,
>
> Some of these comments are disturbing, and indicitive of the
>problems we have with INFOSEC in corporate America.
>
>On Fri, 5 Jul 96 12:13:01 -0400, the sage Frank Willoughby
><frankw@in.net> scribed:
>
>>At 02:03 PM 7/4/96 +0200, Vassilis Risopoulos allegedly wrote:
>>
>[SNIP]
>>
>>
>>No offense taken and you raised some good points. While I agree with
>>most of what you say, I don't agree with everything you said. While
>>no security is 100% impenetrable (nor will it ever be), the goal of
>>good InfoSec is to make your company less appealing (ie - more difficult
>>to break into) than other companies.
>
>This is incorrect. While this stance may protect an entity against a
>low-grade threat attack (the attacker who is out "joy-riding"), it
>will not protect a company that is the target of a directed attack
>(mid-grade to high-grade).
Sorry, but I was indeed correct. I wasn't talking about low-grade
threats. My statement applies to *any* grade of security - including
high levels of protection. FWIW, the levels of protection we had were
very high, but I digress...
FYI, *ANY* system can be cracked. A perpetrator only needs to spend
enough of any one (or more) of the following resources to crack any
system:
o time (cpu cycles, months, etc)
o money (bribes, equipment, etc)
o manpower (couple of individuals, or a small army)
Expending enough of any of the above resources will crack any system.
Cases in point. The Enigma Engine & the Polish underground, CIA &
Ames, the number of escapees from East Germany while the fence was
up, etc.
>In these cases, the act of breaking in is
>not the driving force, it is acheving a goal after getting in.
Depends on the hacker. Some hackers just like to keep score of how
many corporations they broke into, the other stuff is just icing on
the cake. With some others, the breakin is just the preliminary stuff
until the major stuff goes down. (industrial espionage, etc.).
>In these cases (industrial espionage, info-terrorism, information
>warfare, etc.) the target is a specific entity or company, and the
>attacker will not "just go away and attack a softer target" if the
>target is hardened, the attacker will, instead, continue to probe
>electronically, physically, and socially. They WILL find a way in.
>The goal is to make it VERY expensive for them to do so (hopefully
>more expensive than the return on investment), detect them when they
>DO get in, and limit the amount of damage that they can do.
Acutally, VERY expensive, time-consuming, or manpower-intensive,
stated above. As I mentioned earlier, no system is 100% secure.
We agree that at some point a determined adversary WILL find a
way in. The objective is to make them work very hard to do so.
>American corporations are, for the most part, concerned about
>low-grade threats, and are ignoring the potentially more devistating,
>higher-grade threats. Your statement is a PRIME example.
<chuckle> FYI, the problem isn't limited to American corporations.
I happened to be in Germany (Vassilis' back yard) while working as
an ISO. (Schoene Gruess an Alle die mich kennen) 8^)
>>IOW, if I'm taking a hike in the woods with someone else and a bear
>>starts to chase us, I only need to run faster than the other person
>>to be assured a reasonably good chance of coming out of the situation
>>(more or less) intact. The same applies to businesses & hacking.
>>Hackers, like most other people, usually tend to go the path of least
>>resistance. Why would they spend weeks or months trying to crack one
>>company while at another company, it only takes a few minutes? Unless
>>the hacker has a personal axe to grind, they usually won't bother.
>>
>>During the time I worked at the subsidiary, we had no successful
>>breakins. You'll excuse me if I don't talk about that company's
>>security, but I will say that we made ourselves a less attractive
>>target than other corporations and that we spent some serious energy
>>into securing the remote access connections. Not every company is
>>willing to spend some time & money in securing their remote access
>>connections (which represent one of the primary entry points an intruder
>>can have into a corporation) - and the results frequently show up in
>>the press.
>>
>>However, I will mention that it is a very wise procedure to have
>>as few gateways as possible and to guard those gateways like a hawk.
>>Assuming that the connections are secure AND that those connections
>>are monitored for potential abuses AND you are ready to pull the
>>plug if anything looks suspicious, THEN you have a decent start
>>on good network security.
>>
To summarize, Chris, when you add everything up, we agree on most of
the things mentioned in my mail & in yours. I think that you mistook
what I said to apply to low-grade security or perhaps security by
obscrurity (which isn't security IMHO). Regardless, I wasn't talking
about any one particular level of security. The statements I made
apply to *all levels* of security. No system is 100% secure. If
anyone wants to get in, they eventually can. However, I'm of the
opinion that it should take them a very long time to do so. Hopefully,
by then, the info they wanted to get will be out-of-date and/or useless.
>--
> ( ( | ( Chris Liljenstolpe <Chris.Liljenstolpe@ssds.com>
> ) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
> business driven Bloomington, MN 55437;
> technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free!
> PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9
Best Regards & Have a Great Weekend!,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist
