Perimeter
11/3/2011
06:03 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Security Ostriches And Disintermediation

HD Moore's Law (unsophisticated attackers leveraging tools like Metasploit) will make many security professionals go the way of brick-and-mortar retailers

I know I'm asking a lot, but can you remember back to when Amazon and other Internet retailers shook the foundations of brick-and-mortar merchants that were caught flat-footed by that Internet thing? Some responded and prospered (sort of), while others went away, unable to compete in the face of the Internet threat. This phenomenon was called disintermediation because it took the distribution middleman out of play.

What really drove this revolution of sorts was data in the hands of customers who could compare prices in real time and buy from the cheapest provider. Those retailers surviving had to offer more than a grumpy cashier, since you could click a few times and have a box show up on your doorstep the next day -- for the same price. It has become only worse for brick-and-mortars, since I can now scan a barcode with my trusty Amazon iPhone app and see if it can beat the price on whatever I'm planning to buy.

Get ready because disintermediation is coming to security. In fact, it's already here and has been for a while, but no one is really talking about it. Josh Corman first surfaced a great way to describe the concept in a presentation at Metricon back on August. So great, I wish I thought of it. He finally (three months later) documented those thoughts in a blog post called "Intro to HDMoore's Law," which states: Casual Attacker power grows at the rate of Metasploit.

For you n00bs out there, HD Moore is the driver of the open-source project Metasploit, which is a penetration-testing toolkit that launches real exploits at devices. Basically what Josh is saying here is that script kiddies now have a tool in their arsenals that provides a point-and-click way to compromise machines. And you (as a security practitioner) need to stay ahead of Metasploit to have any chance at protecting your stuff.

Can you see it? This is security disintermediation, folks. Now everyone has the information and tools to break your boxes and pwn your stuff. For a long time, it was only those with (real) skills who could launch exploits. Or those bad guys with a front that could afford Core Impact. ;-)

When faced with disintermediation, a lot of retailers stuck their head in the sand, like a good ostrich. Ask CompUSA, Borders, and the countless others how that worked out for them. Dead ostriches, that's how. Others took decisive action, focusing on services (think Best Buy's Geek Squad) and value (Costco's unique bundles and packages), and have held their own. Kind of.

The same thing will happen to security practitioners. Security ostriches who cling to their tried-and-true vulnerability scanners and patching products to _protect_ themselves? Pwned ostrich. I heard that tastes like chicken. Those harnessing HD Moore's Law have integrated Metasploit and tools like it into their ongoing testing processes. They know that even the least sophisticated attackers are going to be using Metasploit, so they proactively let it loose on their networks to see what happens.

You can't hide anymore behind security obscurity. You can't assume you aren't a target. It's just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work, you won't be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while.

A very little while. So get to work.

Mike Rothman is president of Securosis and author of the Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.