Sometimes I like to make lengthy Dre-like comments in other people’s blogs. It sucks to lose those over time, so I’m trying to do more re-posting of them here. This post is one of those.
Rich Mogull posted about turning off security controls for parties that scan your stuff, i.e. PCI requirements. Rothman also picked this up in talking about what vulnerabilities he should care about. Please read their posts and the comments to them and join in the discussion on their blogs. 🙂
This was my response to Mogull:
Oh, how to respond to anything…post on my blog, or make long posts here? I’ll do both! Hopefully I can stay under the length of Dre’s comments. 😉 Wait, did I see “masturbation” in there somewhere when I skimmed through the first time? O_o
Oh, and read to the bottom where I bring SCADA into this. 😉
There are a few points I want to address:
1) Turning off things like IPS for vendor scanning.
2) The futility of things like IPS/WAF
3) When is a vulnerability something I care about?
1) I agree with turning things like your security controls off for scans. First of all, I’d want to know what is underneath those controls. Hell, I’d like to do a scan with them off and another with them on so I can fill in those comment boxes for coutnermeasures implemented! But really, I find little qualm about making exceptions for scans if that gives me some valuable information. The caveat would be that those exceptions are documented, surgical, and time-limited.
Let’s say you’re a security professional. Someone asks you to evaluate their system. You want as much visibility as possible to make a proper assessment. The same holds true for doctors, lawyers, physical security agents, baseball coaches. They all need deep access to maybe even your darkest secrets, otherwise their job is impeded. And I do find value in giving experts those deep secrets.
I would disagree that an external scan is really all about what an attacker sees, especially since a) I don’t give a shit about who scans me or how often (ok, there is some value there, but not enough to interrupt my gaming sessions) and b) I can’t predict what an attacker wants to see. Sure, I want to know how limited a view an attacker can get of my systems, but does that actually guarantee anything? It just guarantees I’ll waste my time and/or miss something on the periphery.
2) I agree with the above sentiments about IPS/WAFs, etc. They mean well, and when someone is dedicated to making them work and babysitting them, I think they have value. But let’s face it, people don’t babysit them. I am in charge of my company’s IPS devices, but god knows I only look at the logs once in a blue moon. It pains me, but…such is the problem with not being dedicated solely to security. So, is that really giving me added value? Not really. In fact, most of the value I afford it is with the logging and detecting, not the preventing.
Dre and others are correct. We have far more important and “easier” things to worry about than deeply inspecting our DMZ traffic. I wish we could worry about that stuff, but there are far bigger issues leading to compromises and bad press. (Then again, this is a natural extension of the resistence people have to us fixing their bigger issues, so we fall back into what we do control without violent pushback…the network and traffic.)
3) (Hopefully Rothman approves my comment on his post today on this topic!) The bottomline is that I care about vulns that are underneath my security controls. I want to know that my controls are not just wasted, and I want to know when I have some soft internal parts that need to be specifically protected. I also want to know them so that I can make proper remediation decisions and evaluate hypotheticals properly. If I have server B that is internal but has a vulnerability, I want to know that in case someone in control of server G can laterally attack it once inside my network. Sure, it might be game-over already, but ultimately at some point I have to answer the question of, “How far did attacker G get, or where could he have gotten?”
I don’t want to be the one to stand in front of my boss and explain that I didn’t know about vuln X in server B just because I made what is now a bad assumption about the risk of server B.
I think SCADA can be a poster-child to this idea. 🙂