We talked yesterday a little about Marcus Ranum’s podcast (which I think he really should have named “Ranum’s Rants” or something more quirky and fun). One of the other things that Marcus (MJR) talks about in his podcast is the current state of computer security, and some of the dumb ideas that are perpetuated by the industry. One of those ideas he believes is dumb is penetrate and patch. And when he mentioned it in the podcast, it got me to thinking about a question I’ve been asking myself for some time now.
ARE WE TOO SCANNER CENTRIC?
Let’s set the WayBack machine to the mid 90’s. NT 3.5 and 4.0, “stateful inspection” and IDS are hot new technologies, and the Security Administrator Tool for Analyzing Networks has just been released. The world is about to change.
The advent of scanners was one of the most significant advances in network security, ever. It (and NT 4.0) leads to “scan and patch” methodologies, and they become the staple of many InfoSec programs.
Fast forward twelve years. These days, scan and patch is an effective control process against automated malware and the bottom 2/3 of the external amateur threat community population distribution. Other threat communities may start with a scan for low hanging fruit, but their mode to intrusion probably won’t be SANS top vulnerability if you’ve got a good scan and patch system going on. What happened? Bad guys have evolved.
But have we?
Take a brief look at the impact of scanners. Two are fairly notable:
- The Most Widely Accepted Risk Assessment Methodologies are Simply Derivatives of “Scan and Patch.” OCTAVE and NIST both use scanning as the “engine” that drives risk assessment. They then add some fairly unsophisticated probability and valuation steps to a scan to create a risk belief statement. Many smart people (MJR and Andrew Jaquith included) now question the validity of risk management partially because of these shortcomings in Risk Assessment.
- The Most Widely Accepted ISMS Certification Processes Are Derivatives of Scan and Patch. ISO certification (and PCI certification, yeah, we better consider it a de facto ISMS now that Texas is considering making it law) are essentially scan and patch with some other stuff thrown in (like audit of management buy-in and awareness programs) to make it look like we know what good risk management means.
Thing is, understanding patch levels is only one aspect of determining current state for control strength. In fact, if you take a look at FAIR as a framework for what makes risk, then control strength is only one of eight factors of somewhat equivalent importance at the point where it is considered.
I’m thinking that your patch level, the results of your scanner, are simply one piece of data to be used to set the lowest common denominator for Control Strength. But because it was revolutionary back when we were arguing Pentium Pro’s vs. SPARC 20’s for the pinnacle of workstation prowess, we’re going to be stuck with focusing on scan and patch at a time when network scans are becoming about as relevant as firewalls. They both have their place, to be sure. But are we putting too much emphasis on scans?
Your comments would be very welcome.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)May 15, 2007, 1:26pm Comments
