Perimeter
11/3/2011
06:03 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Security Ostriches And Disintermediation

HD Moore's Law (unsophisticated attackers leveraging tools like Metasploit) will make many security professionals go the way of brick-and-mortar retailers

I know I'm asking a lot, but can you remember back to when Amazon and other Internet retailers shook the foundations of brick-and-mortar merchants that were caught flat-footed by that Internet thing? Some responded and prospered (sort of), while others went away, unable to compete in the face of the Internet threat. This phenomenon was called disintermediation because it took the distribution middleman out of play.

What really drove this revolution of sorts was data in the hands of customers who could compare prices in real time and buy from the cheapest provider. Those retailers surviving had to offer more than a grumpy cashier, since you could click a few times and have a box show up on your doorstep the next day -- for the same price. It has become only worse for brick-and-mortars, since I can now scan a barcode with my trusty Amazon iPhone app and see if it can beat the price on whatever I'm planning to buy.

Get ready because disintermediation is coming to security. In fact, it's already here and has been for a while, but no one is really talking about it. Josh Corman first surfaced a great way to describe the concept in a presentation at Metricon back on August. So great, I wish I thought of it. He finally (three months later) documented those thoughts in a blog post called "Intro to HDMoore's Law," which states: Casual Attacker power grows at the rate of Metasploit.

For you n00bs out there, HD Moore is the driver of the open-source project Metasploit, which is a penetration-testing toolkit that launches real exploits at devices. Basically what Josh is saying here is that script kiddies now have a tool in their arsenals that provides a point-and-click way to compromise machines. And you (as a security practitioner) need to stay ahead of Metasploit to have any chance at protecting your stuff.

Can you see it? This is security disintermediation, folks. Now everyone has the information and tools to break your boxes and pwn your stuff. For a long time, it was only those with (real) skills who could launch exploits. Or those bad guys with a front that could afford Core Impact. ;-)

When faced with disintermediation, a lot of retailers stuck their head in the sand, like a good ostrich. Ask CompUSA, Borders, and the countless others how that worked out for them. Dead ostriches, that's how. Others took decisive action, focusing on services (think Best Buy's Geek Squad) and value (Costco's unique bundles and packages), and have held their own. Kind of.

The same thing will happen to security practitioners. Security ostriches who cling to their tried-and-true vulnerability scanners and patching products to _protect_ themselves? Pwned ostrich. I heard that tastes like chicken. Those harnessing HD Moore's Law have integrated Metasploit and tools like it into their ongoing testing processes. They know that even the least sophisticated attackers are going to be using Metasploit, so they proactively let it loose on their networks to see what happens.

You can't hide anymore behind security obscurity. You can't assume you aren't a target. It's just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work, you won't be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while.

A very little while. So get to work.

Mike Rothman is president of Securosis and author of the Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web