RE: Security vs. Simplicity

["Craig S. Wright" <craig.wright () Information-Defense com>]

Sites such as Facebook suffer not from complexity, but rather from the model
used in their creation. 

These Web 2.0 Agile based code structures (commonly Ruby based frameworks)
are most often derived from a Test After or "Tad too late" model. The Model,
View Controller framework used in Ruby is a good framework, but it also
simplifies the coding process such that less experienced coders are used -
those without the necessary security coding skills.

Your "simple" network is in fact far more complex than many larger systems.
In your example, you have touted an Integrated Firewall. Far from
simplifying the issue, a single host with all in one features is extremely
complex. Far more so than 6 individual system
(IPS/IDS/Firewall/AV/Logging/Router) based networks.

The integration of functions on a single host increases the attack footprint
and likelihood of error.

...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Stephen Mullins
Sent: Sunday, 24 May 2009 7:56 AM
To: dan.crowley () gmail com
Cc: security-basics () securityfocus com
Subject: Re: Security vs. Simplicity

That argument doesn't really hold up in the context of this
conversation.  A "simple" network from both an ops and security
perspective might have a single router with integrated firewall and
that's it.  No DMZ, no IDS etc.  Adding a DMZ, redundant routers,
multiple firewalls from different vendors, and IDS sensors etc. all of
a sudden makes your network much more complex, and much more secure
from a defense in depth perspective.  The defense in depth strategy
does not lessen security but rather puts more road blocks in the way
of an attacker.

On Fri, May 22, 2009 at 9:49 AM,  <dan.crowley () gmail com> wrote:
> I'd like to challenge your original assumption that security and
simplicity are inversely related (ie: more of one means less of the other)
> I have a concrete block. It is my computer. It is very simply designed. I
dare you to find a vulnerability in my computer. (A silly example, perhaps,
but it makes my point)
> In fact, with complexity ALWAYS comes more security problems. Take social
networking sites as an example. You'd think that sites as large as MySpace
with dedicated IT folks working on it might have some pretty good security,
but its track record has really sucked. Why? Because there's SO MUCH ATTACK
SURFACE.
> In addition to complexity providing more places to launch attacks (attack
surface) you also will likely have less of an ability to perceive possible
flaws in a more complex system, leaving it up to a future attacker to do so.
;)
> Given that complexity makes security harder, focus on the simplicity
first, as it will make life easier for everyone, especially your security
engineer.
> I'd also like to add that adding security as "an extra layer" sounds like
bad security to me if that's the only place security is going. Security is a
property, not a box on an inventory checklist. Upon performing pen tests in
the past, nearly all of what I see is "M&M security". One hard, difficult to
break outside layer, and soft, sweet innards.
> Good luck in building your infrastructure!
>
> --
> Dan Crowley
> "One machine can do the work of fifty ordinary men. No machine can do the
work of an extraordinary man."
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means you
pass the exam. Gain a laser like insight into what is covered on the exam,
with zero fluff!
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means you
pass the exam. Gain a laser like insight into what is covered on the exam,
with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------