RE: Why Easy To Use Software Is Putting You At Risk

["Craig Wright" <cwright () bdosyd com au>]

Hello

Here I have to state that I agree 100% and categorically with Dave.

FUD - Fear Uncertainty and Doubt is a common tool used by vendors to sell security. It is also one of the greatest 
threats to security today.

It makes people inured to security in the long run (i.e. cry wolf) and in the short term results in a lot of technical 
solutions that generally fail to address the issue.

NASA uses hazard and survivability models to determine risk. They do not engineer to not fail - they just reduce the 
probability of an incident. What needs to be remembered that is that 1 in a million occurrence happens all the time in 
the real world. Even a 1 in a billion occurrence will happen daily somewhere in the world. Welcome to the world of risk.

So as to the original post, how would complex software make you less risk prone?

Regards,
Craig

-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: 23 February 2006 2:23
To: security-basics () securityfocus com
Cc: Darren.Miller () defendingthenet com; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk

Inline....    


     -----Original Message-----
     From: defendingthenet [mailto:mlapidus () ccim net]
     Sent: 20 February 2006 14:35
     To: security-basics () securityfocus com
     Subject: Why Easy To Use Software Is Putting You At Risk
    
    
    
     Title
     -----
     Why Easy To Use Software Is Putting You At Risk
    
     Can Easy To Use Software Also Be Secure
     ----------------------------
     Anyone who has been working with computers for a long time
     will have noticed
     that mainstream operating systems and applications have
     become easier to use
     over the years (supposedly). Tasks that use to be complex
     procedures and
     required experienced professional to do can now be done at
     the push of a
     button. For instance, setting up an Active Directory
     domain in Windows 2000
     or higher can now be done by a wizard leading even the
     most novice technical
     person to believe they can "securely" setup the operating
     environment.

Where does it claim that it is "securely" setting up AD in the wizard?

     This
     is actually quite far from the truth. Half the time this
     procedure fails
     because DNS does not configure properly or security
     permissions are relaxed
     because the end user cannot perform a specific function.

Sounds like you have had this problem a few times, maybe you should not use the wizard, or attempt AD setups.

Do you understand how to "securely" setup AD, for your comments here, I would say no.

Instead of using the "sky is falling routine" suggest how to do these things securely instead of syaing "look how 
terrible this is"


    
     If It's Easy To Develop, Is It Also Secure
     --------------------------------------------------
     One of the reasons why operating systems and applications
     "appear" to be
     easier to work with then they use to is developers have
     created procedures
     and reusable objects to take care of all the complex tasks
     for you.

   
Are you referring to shared code? In case you do not know what that is, it is code that is shared by apps for the same 
routines.


     For instance, back in the old days when I started as a
     developer using assembly
     language and c/c++, I had to write pretty much all the
     code myself.


Are you suggesting your code was more secure back in the "old" days, when security was not a concern in coding?


     Now everything is visually driven, with millions of lines of
     code already
     written for you.  All you have to do is create the
     framework for your
     application and the development environment and compiler
     adds all the other
     complex stuff for you. Who wrote this other code? How can
     you be sure it is
     secure. Basically, you have no idea and there is no easy
     way to answer this
     question.  
    
     Secure Environments Don't Exist Well With Complexity
     ----------------------------
     The reality is it may look easier on the surface but the
     complexity of the
     backend software can be incredible. And guess what, secure
     environments do
     not coexist well with complexity. This is one of the
     reasons there are so
     many opportunities for hackers, viruses, and malware to attack your
     computers. How many bugs are in the Microsoft Operating
     System? I can almost
     guarantee that no one really knows for sure, not even
     Microsoft developers.
     However, I can tell you that there are thousands, if not
     hundreds of
     thousands of bugs, holes, and security weaknesses in
     mainstream systems and
     applications just waiting to be uncovered and maliciously
     exploited.
    
     How Reliable and Secure are Complex Systems?
     ----------------------------------------------------------
     Let's draw a comparison between the world of software and
     security with that
     of the space program. Scientists at NASA have know for
     years that the space
     shuttle is one of the most complex systems in the world.
     With miles of
     wiring, incredible mechanical functions, millions of lines
     of operating
     system and application code, and failsafe systems to
     protect failsafe
     systems, and even more failsafe systems to protect other
     systems. Systems
     like the space shuttle need to perform consistently, cost
     effectively, and
     have high Mean-Time-Between-Failure(MTBF).
    
     *All in all the space shuttle has a good record.*


     One thing
     it is not though
     is cost effective and consistent. Every time there is a
     launch different
     issues crop up that cause delays. In a few circumstances,
     even the most
     basic components of this complex system, like "O" rings,
     have sadly resulted
     in a fatal outcome. Why are things like this missed? Are
     they just not on
     the radar screen because all the other complexities of the
     system demand so
     much attention? There are million different variables I'm
     sure. The fact is,
     NASA scientists know they need to work on developing less
     complex systems to
     achieve their objectives.
   

Ok now you have stepped out of bounds, first of all I love NASA and have the utmost respect for them and all the 
astronauts who have braved the frontier.
However, the record of the shuttle is 110+ scrubbed launches. That is more than the number of launches. You can do the 
math for the rest, but it does not add up to a good record, you might have to use one of those "complex systems" though 
to run calc.

So your saying a more simplistic system would create a better record, maybe they should try fly the Kitty Hawk to the 
moon.


I am just going to stop here and say Hogwash.

My advice to you is stop selling fear and your opinion, and start selling solutions to problems. Next time tell us how 
to fix your proposed problems.





Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com
 



     This same principal of reducing complexity to increase security,
     performance, and decrease failures really does apply to
     the world of
     computers and networking. Ever time I here associates of
     mine talk about
     incredibly complex systems they design for clients and how
     hard they were to
     implement I cringe. How in the world are people suppose to
     cost effectively
     and reliably manage such things. In some cases it's almost
     impossible. Just
     ask any organization how many versions or different brands
     of intrusion
     detection systems they have been through. As them how many
     times the have
     had infections by virus and malware because of poorly
     developed software or
     applications. Or, if they have ever had a breach in
     security because the
     developer of a specific system was driven by ease of use
     and inadvertently
     put in place a piece of helpful code that was also helpful
     to a hacker.
    
     Can I Write A Document Without A Potential Security Problem Please
     -----------------------------------------------
     Just a few days ago I was thinking about something as
     simple as Microsoft
     Word. I use MS-Word all the time, every day in fact. Do
     you know how
     powerful this application really is? Microsoft Word can do
     all kinds of
     complex tasks like math, algorithms, graphing, trend
     analysis, crazy font
     and graphic effects, link to external data including
     databases, and execute
     web based functions.
    
     Do you know what I use it for, to write documents. nothing
     crazy or complex,
     at least most of the time. Wouldn't it be interesting that
     when you first
     installed or configured Microsoft Word, there was an
     option for installing
     only a bare bones version of the core product. I mean,
     really stripped down
     so there was not much to it. You can do this to a degree,
     but all the shared
     application components are still there. Almost every
     computer I have
     compromised during security assessments has had MS-Word
     installed on it. I
     can't tell you how many times I have used this
     applications ability to do
     all kinds of complex tasks to compromise the system and
     other systems
     further. We'll leave the details of this for another
     article though.
    
     Conclusion
     ----------
     Here's the bottom line. The more complex systems get,
     typically in the name
     of ease of use for end users, the more opportunity for
     failure, compromise,
     and infection increases. There are ways of making things
     easy to use,
     perform well, and provide a wide variety of function and
     still decrease
     complexity and maintain security. It just takes a little
     longer to develop
     and more thought of security. You might think that a large
     part of the blame
     for complex insecure software should fall on the shoulders of the
     developers. But the reality is it is us, the end users and
     consumers that
     are partially to blame. We want software that is bigger,
     faster, can do just
     about everything, and we want it fast. We don't have time
     to wait for it to
     be developed in a secure manner, do we?
    
     You may reprint or publish this article free of charge as
     long as the
     bylines are included. 
    
     Original URL (The Web version of the article)
     ------------
     http://www.defendingthenet.com/NewsLetters/WhyEasyToUseSoft
     wareIsPuttingYouA
     tRisk.htm
    
     About The Author
     ----------------
     Darren Miller is an Information Security Consultant with
     over seventeen
     years experience. He has written many technology &
     security articles, some
     of which have been published in nationally circulated magazines &
     periodicals.  If you would like to contact Darren you can
     e-mail him at
     Darren.Miller () defendingthenet com. If you would like to
     know more about
     computer security please visit us at
     http://www.defendingthenet.com.
    
   


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------