RE: [IDS] IDS Common Criteria

["Graham, Robert (ISS Atlanta)" <rgraham () iss net>]

From: Randy Taylor [mailto:gnu () charm net]
> Security is very much a process. It has a scope that encompasses
> many concepts that are not addressed from the understandably
> narrowed focus found in vendor space.

You are right that "vendors" and their "technology" aren't a magic pill
that can solve all our problems. You are wrong in claiming that
"process" is the magic pill that we are looking for.

It's like the Emperor's New Clothes. If you'll remember the story, the
clothes were made from a cloth that was invisible to idiots. Process is
made from a similar cloth. There is no clear set of processes that
everyone understands, so when you can't "see" the value in certain
processes, the proponent of that process labels you an idiot. Likewise,
whenever there is a security problem, you can always point to something
missing in the process, or to a failure to follow the process. The
problem is never that process isn't the answer, but that you are not
smart enough to correctly follow the right processes.

The reality is that there is no process that will solve the security
problem for you. There are ones that solve it in theory, but will fail
when you try to implement them in practice. You have to hire mere
mortals in your organization that can never follow the process exactly,
and you'll never be able to agree upon the perfect process to fit your
needs. Processes will always be imperfect, and will always lead to
imperfect security.

Even the army and NSA haven't reached that point -- and they invest
billions in the effort to fine tune their processes. You can't even
afford those types of processes.


> Bruce Schneier speaks to the "security is a process"
> position better than I, but I did want to take a moment to
> point out some areas that many folks overlook when they
> talk about security. The broad-scope view makes it all look
> easy. It's the details that get you killed, figuratively speaking.

Um, you make my point for me.

Bruce Schneier speaks to the common prejudices of the security
community, which is why people like him. He avoids troubling himself
with the details. It's like a president that promises we can reduce
taxes, reduce the deficit, and increase spending -- if only we were
serious enough and committed to doing it. When congress debates the
details and is unable to achieve this, the president criticizes their
seriousness and commitment to solving the problem. Schneier claims that
"process" is the silver-bullet that will solve your security problem,
but he doesn't provide any details. When you fail to achieve security
nirvana, Schneier criticizes your seriousness and commitment to solving
the problem ... and then you blame yourself rather than the advice you
were given.

The details always kill you, as you say. For example, Schneier argues
for open-source, because open peer review helps make crypto algorithms
better. The details are that crypto algorithms are extremely tiny, have
a lot of experts interested in analyzing them, and can easily spend a
decade in the literature before people trust them. None of these details
apply to open source: the amount of source code is huge, there are
(relatively) few people willing to take the effort to analyze it, and it
changes rapidly. This applies to both open and closed source code, but
people's prejudice is to hate the big and successful (Microsoft), so
they readily agree that this is yet one more reason to like open-source.

People love the statement "security is a process": it's sufficiently
high level to absolve the speaker from actually having to discuss
details.


> Without a
> process-oriented approach to security, the "gun" is in the hands
> of the enemy rather than in ours.

The big lie is that businesses don't ALREADY believe in process. This is
wrong: everything in a business is controlled by process. I mean, if you
go to HR and complain about harassment, you can bet that there is a
"process" to handle it. The above statement imagines that there is
somebody out there who claims that process is NOT important. Except for
a couple of young rebels who dislike authority/processes on principle,
there really isn't anybody who disagrees that process is important.

Healthy processes are, of course, important to security, but it won't
solve your security problem. Grandstanding statements like "security is
a process" are disingenuous and misleading, and gloss over the crucial
details. They promise you that you can't get hacked if you just followed
the right processes. This is not true: you can still get hacked even if
you correctly follow the best process available.