Home page logo

basics logo Security Basics mailing list archives

Re: Secure host newbie - fun - humm
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Tue, 06 Apr 2004 10:04:27 -0400

Ranjeet Shetye wrote:

I'd say that most of the **avoidable** security **problems** are created
by human beings (and network admins too).

just going over the recent well-publicised and researched breakins:

ftp.gnu.org - known ptrace kernel exploit (but no solution available) -
TECHNOLOGY + HUMAN (cos admins decided to leave machine running and
"risk it").
Are you advocating that people should just take their servers down if someone finds an exploit that isn't patched? Well, in that case, who needs denial of service attacks?

You're also assuming that every admin is aware when an exploit is found, that's not always the case. (In fact, I'd argue that it's like that unless a patch or new version is released and said admin is on an announcement list, they probably don't know about the vulnerability.)

If both of these are the case, then an issue like this is not a human issue at all - it's a technology issue.

(My interpretation:
TECHNOLOGY - unexpectedly getting a flat tyre while you're driving.
HUMAN - driving around despite knowing that you have a flat tyre.)

I disagree completely.

I see what you're getting at, but it's not enough.  I'd define it this way:

TECHNOLOGY - Any issue which could have been prevented or stopped technologically. This includes flaws in software that are purely technical -- including flaws in design methodology.

HUMAN - Improper use, misconfiguration of known-to-be-insecure configurations, use of inherently vulnerable services (like nfs and telnet) when better alternatives exist and are equally available, and not patching a system when it is known to be safely patchable. (In the real world, you can't just patch a system -- you have to test things first.) Most of these are configuration and use issues, and often there is a justification for carrying out the action. For instance, telnet is inherently "insecure". Yet, there are times when it's appropriate to use telnet. Sometimes, decisions aren't cut and dry and it's these decisions that fall into the HUMAN category, not the decision to run a vulnerable system when you don't have a choice. That's purely technological.


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]