Home page logo
/

basics logo Security Basics mailing list archives

RE: Secure host newbie - fun - humm
From: "Chinnery, Paul" <PaulC () mmcwm com>
Date: Wed, 7 Apr 2004 13:29:55 -0400

That 8 million dollar fine is bogus.  There is no such figure in any HIPAA documents I've seen.  

Paul Chinnery
Network Administrator
Mem Med Ctr


-----Original Message-----
From: Ranjeet Shetye [mailto:ranjeet.shetye2 () zultys com]
Sent: Tuesday, April 06, 2004 2:55 PM
To: Barry Fitzgerald
Cc: Charles Highsmith; Alvin Oga; Simon Lemieux;
security-basics () securityfocus com
Subject: Re: Secure host newbie - fun - humm



No, I am not pushing one decision over another.

I am pointing out the fact that when a HUMAN BEING decides to run a
server KNOWING that there is a security problem, then that is a HUMAN
issue, NOT a technology issue. (e.g. I dont think that running an
insecure service is any different from insecurely running a secure
service - in both cases, its professional negligence.)

Just cos an admin is helpless cos there is NO fix, does NOT exonerate
the network admin of any blame, IF he or she KNEW that is an exploit
available.

In today's 24x7 broadband interconnected world, you have 2 options:
1. Take down the server yourself.
2. Hope that you do not get compromised and continue business as usual.
(When you do get taken down, try to put it back together from backups.)

Are there any other options ? That is what I was pointing out. Find out
the cost of each option, and take the path with the lesser cost.
Decision-making 101.

e.g. Lets take a case where there IS a severe price to be paid for the
NEGLIGENCE of KNOWINGLY running an insecure solution.

If a US based service is hosting health records on a Linux server, and
they KNOW that there is a kernel exploit that's available, BUT there is
no fix available for it, then either they play safe and TAKE DOWN the
server themselves, or prepare for a costly legal battle and/or a lengthy
prison sentence if it can be proven that the admin was (deliberately ?)
NEGLIGENT.

The court is surely NOT going to think that running data servers for
24x7 (admin's desire) OR the health of the business (CEO's desire) is
more important than the privacy of the health records. By law, EACH
leaked health record will cost you $8 million + other civil and criminal
proceedings if warranted + other intangibles like loss of customer
trust, loss of reputation, etc. If that is worth keeping your servers up
and running, you should make the decision accordingly. I wouldn't. I'd
try to keep the service secure.

On the other hand, if you are running a photo album server, then things
are not so bad. As I said, you've got to take your own individual
decision.

This is very different from DoS attacks because in DoS, you dont get a
choice, your server gets taken down for you. It's not a business
decision taken on the basis of some calculated risk.

And I DO think that security is a very black and white issue. Either you
have it, or you dont.

Ranjeet.

On Tue, 2004-04-06 at 07:04, Barry Fitzgerald wrote:
Ranjeet Shetye wrote:

I'd say that most of the **avoidable** security **problems** are created
by human beings (and network admins too).

just going over the recent well-publicised and researched breakins:

ftp.gnu.org - known ptrace kernel exploit (but no solution available) -
TECHNOLOGY + HUMAN (cos admins decided to leave machine running and
"risk it").
 

Are you advocating that people should just take their servers down if 
someone finds an exploit that isn't patched?  Well, in that case, who 
needs denial of service attacks?

You're also assuming that every admin is aware when an exploit is found, 
that's not always the case.  (In fact, I'd argue that it's like that 
unless a patch or new version is released and said admin is on an 
announcement list, they probably don't know about the vulnerability.)

If both of these are the case, then an issue like this is not a human 
issue at all - it's a technology issue.


(My interpretation:
TECHNOLOGY - unexpectedly getting a flat tyre while you're driving.
HUMAN - driving around despite knowing that you have a flat tyre.)


 


I disagree completely.

I see what you're getting at, but it's not enough.  I'd define it this way:

TECHNOLOGY - Any issue which could have been prevented or stopped 
technologically.  This includes flaws in software that are purely 
technical -- including flaws in design methodology.

HUMAN - Improper use, misconfiguration of known-to-be-insecure 
configurations, use of inherently vulnerable services (like nfs and 
telnet) when better alternatives exist and are equally available, and 
not patching a system when it is known to be safely patchable.  (In the 
real world, you can't just patch a system -- you have to test things 
first.)  Most of these are configuration and use issues, and often there 
is a justification for carrying out the action.  For instance, telnet is 
inherently "insecure".  Yet, there are times when it's appropriate to 
use telnet. 

Sometimes, decisions aren't cut and dry and it's these decisions that 
fall into the HUMAN category, not the decision to run a vulnerable 
system when you don't have a choice.  That's purely technological.


                -Barry

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]