funsec mailing list archives
Re: standards status in the industry - opinion?
From: Barrie Dempster <barrie () reboot-robot net>
Date: Mon, 09 Jan 2006 00:18:41 +0000
On Mon, 2006-01-09 at 12:01 +1300, Nick FitzGerald wrote:
Nah -- SRP is very, very much a poor man's form of whitelisting. It does not work properly and never did. I'm sure it was thrown together over a sleepless weekend by two drunk lemurs who happened to wander onto the MS campus with the objective of knocking out a Shakesparian sonnet or two by engaging in their own form of "a million monkeys typing"...
I didn't say it was great. But it is white-listing functionality. It doesn't have much competition or much usage so MS don't focus too much on making it worthwhile.
Do these people still wear diapers?
They live in a world where you can have distributed Kerberos authentication, LDAP resource location and whole pile of other technologies without knowing anything about them. Yes, this is definitely diaper land. There is a real belief that "any monkey can run a Windows network". when the truth is that "any monkey can run a Windows network - badly!"
It is a fundamental tenet of security that I cannot define your security policy.
They are not expected to define the policy, but provide the signatures so that the administrator can define the policy. There is no point every admin auditing their network and trying to figure out if this copy of file.exe is the same as the official one by creating sigs for both, if the vendor can give them a repository to compare to - reducing their workload. It's the repositories I think are needed as well as the software to manage them. Both locally and remotely. In much the same way that update systems work for many Linux distributions, although with a slightly different focus.
If you don't like that and won't do the work to sort out your own network you _definitely_ should not be allowed to connet to the Internet...
I think they would do the work, if the vendor backed them up. Identifying and creating a signature for every file on a network is no mean feat. If your OS vendor does their own stuff and you just have to do the 3rd parties (or even just the 3rd parties that didn't have the foresight to create their sigs for the OSs they run on). The job is made much easier. Windows administrators generally want central administration, distributed storage, redundancy, ease of use and most importantly they want someone else to set it all up for them. Which is one reason why Active Directory is so wide spread and hard to replace. Saying I want to run these programs that my OS provides. is entirely different from saying ... I want to run these programs that my OS provides and I've identified their signatures as .... That's a two step process, if the vendor or an ISV provides the signatures for you and all you have to do is check a box then add in your 3rd party stuff. Your job is much easier - although admittedly the 3rd party stuff could well be a major task in itself.
Of course, when I said someone else cannot do your security policy for you, I mean in the "out of the box" kind of way that Barrie says his clients/informants expect. Well-informed and trained security consultants should be able to do a good policy for others after carefully examining their requirements, but a "one size fits many/most/all" type approach is not suitable -- it reflects the opposite of the "security is process" ideal that we espouse so often.
I absolutely don't advocate them setting the policy, just providing the information so that the admins can.
As discussed elsewhere in the thread though, it was somewhat impractical _at the time_ on the predominant small computers (PCs, Macs, etc) with their lack of memory protection and other resource limitations and the larger systems didn't need something like this as they were (mostly) competently run (and mostly not on or even near, the Internet).
Indeed yeh. For now, in a decent sized network that has competent IT staff whitelisting can work - to an extent. However I don't know of a project that attempts to tackle this in any practical way. I don't consider administrators creating their own sigs, for components of the OS, in any way practical. It makes much more sense for this to be done centrally by the provider, especially from a Windows administrators point of view. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Attachment:
smime.p7s
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: standards status in the industry - opinion?, (continued)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Blue Boar (Jan 08)
- Re: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: standards status in the industry - opinion? Blue Boar (Jan 08)
- RE: standards status in the industry - opinion? Stephen Villano (Jan 08)
- RE: standards status in the industry - opinion? Drsolly (Jan 08)
- RE: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Valdis . Kletnieks (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? James Kehl (Jan 09)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re[2]: standards status in the industry - opinion? Pierre Vandevenne (Jan 07)
- Re[2]: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Nick FitzGerald (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 08)