RE: This computer security column is banned in Canada (Three messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Pete Lindstrom <petelind () comcast net>

The existence of articles does not mean that the assertions are true.
The fact is, we practice security through obscurity every day in the
security space. We don't divulge what solutions/techniques we use to
protect our systems; we encrypt meaningless data to make it harder to
pick out important stuff; we use honeypots to deceive attackers; we
change port numbers for common services, etc. Heck, even the use of
passwords is a form of security through obscurity. (Now is where you
smirk and say "yeah, see where passwords got us..." but there is no
denying the universal use as a basic form of security, and there
aren't many people doin something different).

Security through obscurity gets a bum rap in the security profession
because it is often an excuse for inaction. I believe it is one of
many tactical approaches that are useful as part of a strong security
program as long as people understand its limitations and don't rely on
it too heavily. Let's face it - we need all the help we can get. If a
little bit of obscurity helps (and I think it can at least temporarily
and in specific areas) then use it. Just don't base your entire
security program on it.

The next generation of virus defense is already developing - in the
form of host intrusion prevention and trusted operating systems (yes,
I mean Palladium). We should be spending our time making them less
intrusive, more manageable, and more flexible in heterogeneous
environments. Teaching someone to write viruses is a sexy-cool way to
get some attention, but logically flawed and distracting as a strong
way to develop virus defenders. We need to teach people how to detect
viruses amidst a sea of good processes and understand how they act in
their attack, payload, and propagation vectors, then teach them how to
identify the many attack points in software. Why not teach a class on
how to detect and stop viruses? Because it doesn't have the sexy-cool
factor, that's why. There is much, much more to security than catering
to the rock-star coolness of writing a virus that will take over the
world (eventually one of the students will have to try it). The
benefits do not outweigh the risks, and there are plenty of
alternatives that "think differently" and are less risky.

Pete  


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org] On Behalf
Of InfoSec News
Sent: Thursday, June 05, 2003 4:39 AM
To: isn () attrition org
Subject: RE: [ISN] This computer security column is banned in Canada

Forwarded from: Tony | AVIEN / EWS <tony () avien org>
Cc: steve () entrenchtech com, Rob () vmyths com

There are articles and papers everywhere talking about why Security
Through Obscurity doesn't work as an effective security measure. It is
a bureaucratic dream that if only you pretend the problem doesn't
exist or hide its existence from the general population that the
problem will go away.

Do the students have to develop new viruses to learn about viruses-
no. But, to quote Albert Einstein "You cannot solve the problem with
the same kind of thinking that has created the problem."

I think that to develop the next generation of virus defense we need
people to get into the minds of the virus writers and think like them-
use their tools, work the way they work. Maybe by doing so they can
find the chinks in the armor before the bad guys and develop proactive
tools instead of the reactionary virus defense we currently have.

Read the article I wrote on this controversial topic:
http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm


-=-


Forwarded from: Brooks Isoldi <bjisoldi () buffalo edu>

With all due respect to the corporate exec who was quoted in the
original article as asking "Do they teach classes on how to hack?",
but he is obviously not up on todays times and doesn't seem all too
bright to me.  He had no business being quoted in this article.  He
may want to check out the NSA Information Assurance program settup in
about a dozen universities around the country that have classes in the
curriculum on hacking, cryptography/cryptology, and computer security.

It really is a no brainer that the best defenders are those who think
just like the offenders.

Brooks


-=-


Forwarded from: Julie Ranada <ranada () cs ubc ca>

A suggestion if people are so alarmed about having UCalgary offer
virus-writing classes to their students:  why not have Microsoft buy
up all the seats in the class and have their programmers attend it...




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.