RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 13 May 2004, Eugene Kuznetsov wrote:

> [snip]
> > I'd argue that boxes with equal 'ubiquity' start with an equal
> > 'targetability coefficient' which is then adjusted based on
> > end use (kudos,
> > spam, intel, ...) and 'breakability'.  Since Windows scores
>
> +1, very good points...
>
> It is the "level of functionality/complexity" (to first order, proportional
> to # of lines of code) X "ubiquity" X "value-of-seized-platform" X
> "security-quality".

Hmmm, but we're missing modifiers, such as "degree of difficulty,"
"platform knowledge," and some quantification of "security-quality" that
accounts for really poor designs.

> The more "connected" you are and the richer the interfaces that are exposed,
> the more security risk there is. That's why RPC interfaces are so much more

That's mostly complexity- rearing it's head as bugs/kloc and poor design
(a la "security is not addressed in this document.")

> dangerous that simple web servers, and web servers are more vulnerable than
> IP forwarding engines. The underlying security of the code is part of the
> issue, but it's an independent variable.

Yet, it would seem that we've seen more damage from mail clients than from
RPC services, and more from Web servers than RPC clients (overall damage,
not per-machine severity.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards