Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Watch for Disgruntled Employees | Main | Getting Root Access on Asus EEE »

Security's Dirty Little Secret that Isn't

Security isn't politics. Back in 1991 Bill Clinton's campaign coined the phrase "It's the economy, stupid" to drive home the single most import message of the candidate. In security we're more likely to "X won't work, stupid" where X is your favorite security technology whipping boy. Take Roger Grimes post in InfoWorld entitled "Security design: Why UAC will not work". Grimes is right to add the subtitle "Pinning all your end-point security hopes on UAC assumes that criminals are not as smart as they really are." He makes good points in his piece and in a follow on article with the subtitle "Least privilege won't solve every security problem, but it's a significant step in the right direction." My concern isn't so much with UAC or even least privileges in general but with the idea of taking a technology out of the broader context in which it is used and criticizing or praising it relative to some other context.

We can take UAC, anti-virus, content filtering, firewalls, IPS, or any other security technology and list all the things it doesn't do and how attackers can get around it. That isn't news. That's why we use multiple complimentary technologies (aka "defense in depth"). Grimes argues for this at the end of the second article:

For example, suppose you have a castle with four entry points over the surrounding moat. When you have that many entry points, you have to provide equal protection (from soldiers, hot tar, flaming arrows, and more) to all four of them; otherwise, the attacker will learn the weakest point and attack it first. By reducing the number of entry points, the defensive force can spend less money overall and better protect what remains. The same goes for least privilege computer defenses.

Where I disagree with Grimes is the opening line of his first piece:

It's security's dirty little secret: Not having your users logged in as root or administrator will not stop malware.

Since when is that a secret? I think we'd be better off if we spent more time on focusing on what works and how to keep it working than to pick a technology apart in isolation. It's more useful to concentrate on how to use technologies together to address security issues.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on February 8, 2008 8:39 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/625

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net