Perimeter
11/3/2011
06:03 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Security Ostriches And Disintermediation

HD Moore's Law (unsophisticated attackers leveraging tools like Metasploit) will make many security professionals go the way of brick-and-mortar retailers

I know I'm asking a lot, but can you remember back to when Amazon and other Internet retailers shook the foundations of brick-and-mortar merchants that were caught flat-footed by that Internet thing? Some responded and prospered (sort of), while others went away, unable to compete in the face of the Internet threat. This phenomenon was called disintermediation because it took the distribution middleman out of play.

What really drove this revolution of sorts was data in the hands of customers who could compare prices in real time and buy from the cheapest provider. Those retailers surviving had to offer more than a grumpy cashier, since you could click a few times and have a box show up on your doorstep the next day -- for the same price. It has become only worse for brick-and-mortars, since I can now scan a barcode with my trusty Amazon iPhone app and see if it can beat the price on whatever I'm planning to buy.

Get ready because disintermediation is coming to security. In fact, it's already here and has been for a while, but no one is really talking about it. Josh Corman first surfaced a great way to describe the concept in a presentation at Metricon back on August. So great, I wish I thought of it. He finally (three months later) documented those thoughts in a blog post called "Intro to HDMoore's Law," which states: Casual Attacker power grows at the rate of Metasploit.

For you n00bs out there, HD Moore is the driver of the open-source project Metasploit, which is a penetration-testing toolkit that launches real exploits at devices. Basically what Josh is saying here is that script kiddies now have a tool in their arsenals that provides a point-and-click way to compromise machines. And you (as a security practitioner) need to stay ahead of Metasploit to have any chance at protecting your stuff.

Can you see it? This is security disintermediation, folks. Now everyone has the information and tools to break your boxes and pwn your stuff. For a long time, it was only those with (real) skills who could launch exploits. Or those bad guys with a front that could afford Core Impact. ;-)

When faced with disintermediation, a lot of retailers stuck their head in the sand, like a good ostrich. Ask CompUSA, Borders, and the countless others how that worked out for them. Dead ostriches, that's how. Others took decisive action, focusing on services (think Best Buy's Geek Squad) and value (Costco's unique bundles and packages), and have held their own. Kind of.

The same thing will happen to security practitioners. Security ostriches who cling to their tried-and-true vulnerability scanners and patching products to _protect_ themselves? Pwned ostrich. I heard that tastes like chicken. Those harnessing HD Moore's Law have integrated Metasploit and tools like it into their ongoing testing processes. They know that even the least sophisticated attackers are going to be using Metasploit, so they proactively let it loose on their networks to see what happens.

You can't hide anymore behind security obscurity. You can't assume you aren't a target. It's just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work, you won't be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while.

A very little while. So get to work.

Mike Rothman is president of Securosis and author of the Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?