Perimeter
11/3/2011
06:03 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Security Ostriches And Disintermediation

HD Moore's Law (unsophisticated attackers leveraging tools like Metasploit) will make many security professionals go the way of brick-and-mortar retailers

I know I'm asking a lot, but can you remember back to when Amazon and other Internet retailers shook the foundations of brick-and-mortar merchants that were caught flat-footed by that Internet thing? Some responded and prospered (sort of), while others went away, unable to compete in the face of the Internet threat. This phenomenon was called disintermediation because it took the distribution middleman out of play.

What really drove this revolution of sorts was data in the hands of customers who could compare prices in real time and buy from the cheapest provider. Those retailers surviving had to offer more than a grumpy cashier, since you could click a few times and have a box show up on your doorstep the next day -- for the same price. It has become only worse for brick-and-mortars, since I can now scan a barcode with my trusty Amazon iPhone app and see if it can beat the price on whatever I'm planning to buy.

Get ready because disintermediation is coming to security. In fact, it's already here and has been for a while, but no one is really talking about it. Josh Corman first surfaced a great way to describe the concept in a presentation at Metricon back on August. So great, I wish I thought of it. He finally (three months later) documented those thoughts in a blog post called "Intro to HDMoore's Law," which states: Casual Attacker power grows at the rate of Metasploit.

For you n00bs out there, HD Moore is the driver of the open-source project Metasploit, which is a penetration-testing toolkit that launches real exploits at devices. Basically what Josh is saying here is that script kiddies now have a tool in their arsenals that provides a point-and-click way to compromise machines. And you (as a security practitioner) need to stay ahead of Metasploit to have any chance at protecting your stuff.

Can you see it? This is security disintermediation, folks. Now everyone has the information and tools to break your boxes and pwn your stuff. For a long time, it was only those with (real) skills who could launch exploits. Or those bad guys with a front that could afford Core Impact. ;-)

When faced with disintermediation, a lot of retailers stuck their head in the sand, like a good ostrich. Ask CompUSA, Borders, and the countless others how that worked out for them. Dead ostriches, that's how. Others took decisive action, focusing on services (think Best Buy's Geek Squad) and value (Costco's unique bundles and packages), and have held their own. Kind of.

The same thing will happen to security practitioners. Security ostriches who cling to their tried-and-true vulnerability scanners and patching products to _protect_ themselves? Pwned ostrich. I heard that tastes like chicken. Those harnessing HD Moore's Law have integrated Metasploit and tools like it into their ongoing testing processes. They know that even the least sophisticated attackers are going to be using Metasploit, so they proactively let it loose on their networks to see what happens.

You can't hide anymore behind security obscurity. You can't assume you aren't a target. It's just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work, you won't be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while.

A very little while. So get to work.

Mike Rothman is president of Securosis and author of the Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.