Like the Fallacies of Distributed Computing, these are assumptions made about security by those that use the network. And, like those other fallacies, these assumptions are made at the peril of both project and productivity.
1. The network can be made completely secure.
2. It hasn't been a problem before.
3. Monitoring is overkill.
4. Syslog information can be easily reviewed.
5. Alerts are sufficient warning of malicious behavior.
6. Our competition is honest.
7. Our users will not make mistakes that will jeopardize or breach security.
8. A perimeter is sufficient.
9. I don't need security because nobody would want to hack me.
10. Time correlation amongst devices is not that important.
11. If nobody knows about a vulnerability, it's not a vulnerability.
I wrote this list for the purpose of informing, educating, and aiding any non-security person that reads it. Failing that, it serves as something that I can fall back on when commiserating with other security guys.
EDIT: 18 Aug 2015 to codify the additions made in comments.
9. I don't need security because nobody would want to hack me.
-Otanx
10. Time correlation amongst devices is not that important.
Quote from: Otanx on May 07, 2015, 10:19:08 AM
9. I don't need security because nobody would want to hack me.
-Otanx
Actually said by a guy in IT in a bank.
A BANK.
:zomgwtfbbq:
Quote from: Netwörkheäd on May 07, 2015, 07:54:51 AM
2. It hasn't been a problem before.
I hear this excuse about twice a week.
Them: We can't make changes or additions to this setup"
Me: Why?
Them: Because its unstable
Me: So lets fix the setup
Them: Why its been running fine this way for 15 years
Me: ....
:wall:
Oh... Here is one for the list... Security through obscurity. If no one knows, it can't be a hole, right?
Quote from: that1guy15 on May 08, 2015, 03:17:57 PM
Quote from: Netwörkheäd on May 07, 2015, 07:54:51 AM
2. It hasn't been a problem before.
I hear this excuse about twice a week.
Them: We can't make changes or additions to this setup"
Me: Why?
Them: Because its unstable
Me: So lets fix the setup
Them: Why its been running fine this way for 15 years
Me: ....
:wall:
Yep - I specifically remember running into this myself. We were doing end-to-end QoS testing and found out a McAfee device was stripping the DSCP tag due to the particular traffic falling under a proxy rule. There are apparently two(I think?) types of rules, and if we used the other one (whatever that was), it would pass-through the received DSCP tag. Come to find out, the traffic was already being proxied by an actual web proxy anyway. So naturally, I'm like, "Dude, why are we double-proxying this traffic? What's the point? Let's just change it to the other type of rule and get this fixed.", to which they responded with exactly what you describe here. Thank God, someone with authority was actually intelligent during the ensuing team conference calls and forced them to change it.
Ridiculous.
Quote from: hizzo3 on May 08, 2015, 04:08:42 PM
Oh... Here is one for the list... Security through obscurity. If no one knows, it can't be a hole, right?
What? You mean NAT doesn't guarantee security!? :wtf:
For security through obscurity... most of the hack attempts are done by "me too" skiddies that are probing with out-of-date kits... so there's still someone out there running probe attempts on Novell 2.x and Banyan Vines, and although he's only 14, he will be 73h 1337 h4xx0r after he pwns your obscurity. :mrgreen:
Speaking of security of another kind of network... Have y'all been following the guy that the FBI claims hacked a plane? Apparently he was able to sniff the traffic and pass commands.
Some security guys say he was just blowing smoke... maybe he could sniff, but they're doubting his passing commands claim.
We shall see. :drama:
Quote from: hizzo3 on May 19, 2015, 12:07:18 AM
Speaking of security of another kind of network... Have y'all been following the guy that the FBI claims hacked a plane? Apparently he was able to sniff the traffic and pass commands.
This drives me nuts if it's true. Supposedly he attached to the in-flight entertainment system and found a way in from there. What engineer in their right mind even physically attaches flight control systems to a public access network.... f@#$#ing ridiculous. :angry:
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.
Cars are absolutely LANs on wheels. WLANs, even, with the newer models. I am totally not a fan of that. Remote key systems, in particular, turn me off. There was a Top Gear segment where Jeremy Clarkson showed how being within a certain distance of your car with the remote key kept it unlocked and drivable. So, he got into Richard Hammond's car - a top-end muscle car, mind you - and drove it into the middle of the road before it stopped due to the key being too far from the car. He then walked back to the restaurant where Hammond and James May were eating, and they all enjoyed a nice lunch. They did remark on the unusual traffic congestion in the small town they were in, when Richard looked up and noticed his car was gone...
So, yeah, not a fan of stuff making it easier for me to get into my car. It makes it easier for lots of people to get into my car.
Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.
Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....
Quote from: AspiringNetworker on May 19, 2015, 11:37:34 AM
Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.
Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....
Say that about the tanker truck of JP9 heading down a major freeway. Car tech and semi tech is rarely different. In fact, many will use the exact same ecu with different parameters in the same software revision. My car runs an E67 ecu which is currently set up for an I4... But a change of one parameter will let it run a LS3/LS9 motor.
Or even worse, with this concept of OTA updates that is new to come, imagine a trigger of full thottle to all vehicles of a make and model at a given time.
When you are talking security holes, those with ill intent are usually pretty apt for connecting the dots with something more dangerous than a single ford fiesta with a baby on board placard.
Quote from: hizzo3 on May 19, 2015, 03:47:51 PM
Quote from: AspiringNetworker on May 19, 2015, 11:37:34 AM
Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.
Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....
Say that about the tanker truck of JP9 heading down a major freeway. Car tech and semi tech is rarely different. In fact, many will use the exact same ecu with different parameters in the same software revision. My car runs an E67 ecu which is currently set up for an I4... But a change of one parameter will let it run a LS3/LS9 motor.
Or even worse, with this concept of OTA updates that is new to come, imagine a trigger of full thottle to all vehicles of a make and model at a given time.
When you are talking security holes, those with ill intent are usually pretty apt for connecting the dots with something more dangerous than a single ford fiesta with a baby on board placard.
Closer, but I still don't see the two as the same. No point arguing about it though. I just hope, and I'm sure there are, just like a car/truck/whatever, there are manual means of overriding a command sent maliciously - like on a car/truck you have brakes/emergency brake.. dunno what you have on a plane, but I'm sure there's something.
Air brakes. Duh. :P
However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment. :eek:
Just slip it in neutral, turn they key to off (push button doesn't work, must be mechanical key), then coast to the nearest cloud. Wait, you mean Mario walking on clouds can't happen in real life?
Quote from: deanwebb on May 20, 2015, 12:59:49 PM
Air brakes. Duh. :P
However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment. :eek:
God no - thankfully I think(hope?) that was identified a long time ago as a major threat so I'm sure(hope?) that all that can be done there is being done...
Quote from: AspiringNetworker on May 21, 2015, 11:37:02 AM
Quote from: deanwebb on May 20, 2015, 12:59:49 PM
Air brakes. Duh. :P
However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment. :eek:
God no - thankfully I think(hope?) that was identified a long time ago as a major threat so I'm sure(hope?) that all that can be done there is being done...
:yuno:
Y U NO MAKE MY REACTORS SECURE?These guys get to have 30-day advance notice of "surprise" inspections. Honestly, the fact that there *haven't* been major attacks on these guys leads me to conclude (REDACTED DUE TO POLITICAL COMMENTS THAT REQUIRE TINFOIL HEADGEAR TO PROPERLY ACCEPT). I mean, really, all anyone would have to do would be to (HIGHLY ILLEGAL THING), followed by (ANOTHER HIGHLY ILLEGAL THING) and then, just like that, the headlines would read "(HIGHLY ILLEGAL AND DISASTROUS CONSEQUENCES OF AFOREMENTIONED HIGHLY ILLEGAL THINGS)!" So why hasn't more of that already happened?
Without discussing the methods that would be used to compromise security at nuclear reactors, LNG storage facilities, or other multi-megaton civilian gear in the USA, take a look at what would be needed somewhere with much less stringent requirements, followed even more laxly than the USA follows its requirements. Look at a nation's rate of industrial accidents and compare that to the USA's number, and that gives one an idea of how much more likely an incident at a nuclear or other major energy facility would be.
State actors would be less likely to try and penetrate US resources because they know that the USA would nuke 'em good and hard if they pulled a stunt like that... it's in the "act of war" category, and they're not ready to go there just now. But non-state actors seem fixated on pipe bombs and small-arm fire for now.
Sadly, security is in such a state that it won't be until the day *after* a non-state actor decides to target a system with destruction in mind - and then successfully pulls that off - that firms will decide to be much more serious about security. Even then, profits will still trump security - Blue Cross just had its second major hack made public in less than a year, and that means it's also the second time in less than a year that they've said that no major data was breached, it was an advanced attack, they are taking steps to minimize the damage and to close the holes, and that they've called in Mandiant.
Now, for state actors, it's a different thing. The Spratly Island thing just heated up more with Indonesia blowing up a Chinese fishing boat there and China setting up beacons to declare territorial sovereignty there. If we used that and aggression over the Senkakus to actually go to war with China, imagine how many of their grad students at major US research universities will turn out to be sleeper agents for the PRC... and then add to that number the *active* agents among Chinese national grad students, and they've basically got a forward-deployed fifth column that could rain hell on the USA's research and technological infrastructure.
Codified the fallacies and updated the OP.
Effects of the Fallacies
1. Ignorance of network security leads to poor risk assessment.
2. Lack of monitoring, logging, and correlation hampers or prevents forensic investigation.
3. Failure to view competitors and users with some degree of suspicion will lead to vulnerabilities.
4. Insufficiently deep security measures will allow minimally sophisticated penetrations to succeed in ongoing and undetected criminal activity.
... aaaaand now there's a video: https://www.youtube.com/watch?v=OjocuBME3pU
Gonna bump this after RSA...
Last year, a regional dam in the USA got hacked - someone left an RDP host exposed to the Internet with a username Admin and no password... and a group of hackers basically:
1. Did a port scan and picked up an IP address of something listening to port 3389
2. Tried logging in with admin and no password for lulz
3. Laughed their butts off when that worked
4. Started clicking around in "DAMCONTROL.EXE" so that they could get familiar with dam control software
It's not that they were determined to hack that particular dam, which was a very very minor dam, almost barely an improvement over a beaver dam, but that they were determined to hack whatever they discovered on the other side of port 3389. Now that group has some intel, screen shots, and maybe even recorded desktop video of what some US dam control software looks like. That, in turn, might enable or embolden some other group that purchases that info to take a crack at a bigger dam and to actually try to do some damage.
Kind of like what happened in the Ukraine last year when a group shut down three power relay stations, cutting off power to about 300,000 Ukrainians. The group also shut down the phone service for the Ukrainian power company. The company recovered by falling back to manual controls and is not yet back to full capacity. They're lucky that the group didn't run commands to damage or destroy physical equipment, which they could easily have done. And how did this group get in? Say hello to another unsecured RDP connection exposed to the Internet.
Then there was the recent hack at the New York Federal Reserve, in which $100 million was transferred from the Central Bank of Bangladesh's account there to a bunch of casinos in the Philippines. That's what got out - the hackers tried to move $800 million. Government of Bangladesh is furious and accuses the NY Fed of having an insider or group of insiders that approved the highly unusual transactions. I believe that the Government of Bangladesh is correct in its accusation.
All of these are "minimally sophisticated penetrations" that resulted in major daaaaaaaaaaaaaaaaaaaaaaaamn!
It's like I can study for the CISSP just by reading news stories...