Episteme

Mike's random thoughts and ramblings

I have the Security Silver Bullet!!!

Well, actually, no, I don't. But I've seen a lot of people claim that they do - they're usually product salesmen.

I started thinking about this when I read Ryan's recent blog post over at the nCircle blog. Ryan's a smart dude, and somebody who everyone should read whenever he has a post.

Ryan posits the following scenario:

So you are an administrator within random company 'X'. You have been happily using a certain product that has had some known vulnerabilities within it. However this isn't a problem as you've patched them as the patches have come out. The vendor came out with a new version of the product a year ago and has been pushing all users to upgrade. Being a safe administrator worried about the interaction of new products and desktop installs, you've been testing the product in your test lab and everything seems a-ok. So you decide to push the new product out to all the desktops slowly department by department. Everything works well. All users are happy.

After a couple of weeks though, users are reporting that their boxes are acting funny. After some detective work, you've noticed that the boxes have been exploited with an old exploit in one of the vulnerabilities within the product you just upgraded to. Knowing that you patched already a couple of months ago when the patch came out, you believed that you were safe. Taking a look at the patch management system, the system reports all the exploited boxes as patched to this vulnerability. Management is unhappy and you are SOL.

He then goes on to rant about this being the vendor's fault. While I agree with him that the vendor is culpable, I also think that the hypothetical administrator in question should have his ass handed to him/her - he/she violated a core tenet of rational thinking: he relied on a single source of information to make a decision. In handing that much trust to any one system (be it patch management, vulnerability management, IDS or the Oracle at Delphi) he/she has been ignorant of other information in the world that could have helped him/her make an informed decision.

In NLP terms, there is a fundamental concept called "triple description". It suggests that, in order to concieve of a well-formed model of the world, one needs to percieve a situation from at least three perspectives. This is equally true in security - you need to take information from a bunch of different systems in order to have a complete view of the world.

So, in Ryan's scenario, the administrator made a fundamental mistake in trusting the patch management system. He/she should have run another tool against the newly deployed systems before rolling out - a vulnerability management system, a serious protocol fuzzer. And the administrator should have had an IDS and an endpoint firewall enabled, too.

It used to be called "Defense In Depth" before that became an over-used cliche that now mostly means "buy more stuff". It's not about buying more - it's about having enough descriptions in your world to help you make appropriate decisions.

In short, if somebody tells you that they have the Security Silver Bullet ("you won't need system X anymore!!"), walk away. And check that you still have your wallet.

Share this post

About the author

Michael Murray

Michael Murray