The Fallacies of Network Security

Netwörkheäd · May 07, 2015, 07:54:51 AM

Like the Fallacies of Distributed Computing, these are assumptions made about security by those that use the network. And, like those other fallacies, these assumptions are made at the peril of both project and productivity.

1. The network can be made completely secure.
2. It hasn't been a problem before.
3. Monitoring is overkill.
4. Syslog information can be easily reviewed.
5. Alerts are sufficient warning of malicious behavior.
6. Our competition is honest.
7. Our users will not make mistakes that will jeopardize or breach security.
8. A perimeter is sufficient.
9. I don't need security because nobody would want to hack me.
10. Time correlation amongst devices is not that important.
11. If nobody knows about a vulnerability, it's not a vulnerability.

I wrote this list for the purpose of informing, educating, and aiding any non-security person that reads it. Failing that, it serves as something that I can fall back on when commiserating with other security guys.

EDIT: 18 Aug 2015 to codify the additions made in comments.

Otanx · May 07, 2015, 10:19:08 AM

9. I don't need security because nobody would want to hack me.

-Otanx

icecream-guy · May 07, 2015, 11:00:08 AM

10. Time correlation amongst devices is not that important.

deanwebb · May 07, 2015, 05:16:22 PM

Quote from: Otanx on May 07, 2015, 10:19:08 AM
9. I don't need security because nobody would want to hack me.

-Otanx

Actually said by a guy in IT in a bank.

A BANK.

that1guy15 · May 08, 2015, 03:17:57 PM

Quote from: Netwörkheäd on May 07, 2015, 07:54:51 AM
2. It hasn't been a problem before.

I hear this excuse about twice a week.

Them: We can't make changes or additions to this setup"
Me: Why?
Them: Because its unstable
Me: So lets fix the setup
Them: Why its been running fine this way for 15 years
Me: ....

hizzo3 · May 08, 2015, 04:08:42 PM

Oh... Here is one for the list... Security through obscurity. If no one knows, it can't be a hole, right?

NetworkGroover · May 08, 2015, 04:54:42 PM

Quote from: that1guy15 on May 08, 2015, 03:17:57 PM
Quote from: Netwörkheäd on May 07, 2015, 07:54:51 AM
2. It hasn't been a problem before.

I hear this excuse about twice a week.

Them: We can't make changes or additions to this setup"
Me: Why?
Them: Because its unstable
Me: So lets fix the setup
Them: Why its been running fine this way for 15 years
Me: ....

Yep - I specifically remember running into this myself. We were doing end-to-end QoS testing and found out a McAfee device was stripping the DSCP tag due to the particular traffic falling under a proxy rule. There are apparently two(I think?) types of rules, and if we used the other one (whatever that was), it would pass-through the received DSCP tag. Come to find out, the traffic was already being proxied by an actual web proxy anyway. So naturally, I'm like, "Dude, why are we double-proxying this traffic? What's the point? Let's just change it to the other type of rule and get this fixed.", to which they responded with exactly what you describe here. Thank God, someone with authority was actually intelligent during the ensuing team conference calls and forced them to change it.

Ridiculous.

NetworkGroover · May 08, 2015, 04:57:19 PM

Quote from: hizzo3 on May 08, 2015, 04:08:42 PM
Oh... Here is one for the list... Security through obscurity. If no one knows, it can't be a hole, right?

What? You mean NAT doesn't guarantee security!?

deanwebb · May 08, 2015, 06:15:16 PM

For security through obscurity... most of the hack attempts are done by "me too" skiddies that are probing with out-of-date kits... so there's still someone out there running probe attempts on Novell 2.x and Banyan Vines, and although he's only 14, he will be 73h 1337 h4xx0r after he pwns your obscurity.

hizzo3 · May 19, 2015, 12:07:18 AM

Speaking of security of another kind of network... Have y'all been following the guy that the FBI claims hacked a plane? Apparently he was able to sniff the traffic and pass commands.

deanwebb · May 19, 2015, 09:55:38 AM

Some security guys say he was just blowing smoke... maybe he could sniff, but they're doubting his passing commands claim.

We shall see.

NetworkGroover · May 19, 2015, 10:18:36 AM

Quote from: hizzo3 on May 19, 2015, 12:07:18 AM
Speaking of security of another kind of network... Have y'all been following the guy that the FBI claims hacked a plane? Apparently he was able to sniff the traffic and pass commands.

This drives me nuts if it's true. Supposedly he attached to the in-flight entertainment system and found a way in from there. What engineer in their right mind even physically attaches flight control systems to a public access network.... f@#$#ing ridiculous.

hizzo3 · May 19, 2015, 10:22:22 AM

Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.

deanwebb · May 19, 2015, 10:38:40 AM

Cars are absolutely LANs on wheels. WLANs, even, with the newer models. I am totally not a fan of that. Remote key systems, in particular, turn me off. There was a Top Gear segment where Jeremy Clarkson showed how being within a certain distance of your car with the remote key kept it unlocked and drivable. So, he got into Richard Hammond's car - a top-end muscle car, mind you - and drove it into the middle of the road before it stopped due to the key being too far from the car. He then walked back to the restaurant where Hammond and James May were eating, and they all enjoyed a nice lunch. They did remark on the unusual traffic congestion in the small town they were in, when Richard looked up and noticed his car was gone...

So, yeah, not a fan of stuff making it easier for me to get into my car. It makes it easier for lots of people to get into my car.

NetworkGroover · May 19, 2015, 11:37:34 AM

Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.

Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....