Date: Fri, 8 Sep 2006 10:28:31 -0700 (PDT) From: Bigby Findrake <bigby@ephemeron.org> To: "Travis H." <solinym@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter Message-ID: <20060908101441.V90396@home.ephemeron.org> In-Reply-To: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com> References: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 6 Sep 2006, Travis H. wrote: > ``You do not want to overbuild your security or you will interfere > with the detection side, and detection is one of the single most > important aspects of any security mechanism. For example, it makes > little sense to set the schg flag (see chflags(1)) on every system > binary because while this may temporarily protect the binaries, it > prevents an attacker who has broken in from making an easily > detectable change that may result in your security mechanisms not > detecting the attacker at all.'' > > Wouldn't it be better to detect /and/ prevent an attempt to change the system > binaries? That's how I interpret that passage from the handbook - that you should detect *and* prevent. I'm not clear on how anyone is interpreting that passage to suggest that unequal weight should be given to one side or the other (detection vs. prevention). The above passage all but says, "don't do X because that will interfere with Y." I just don't see that advice as advocating imbalance. > It seems to me that advising people to focus on detection rather than > prevention is wrong-headed. What are you going to do after you detect > the attacker? If it's not "prevent him from doing anything", then I > question the intelligence of this approach. I find that extreme examples are good at illustrating points. I think that everyone can agree that we cannot prevent 100% of attacks; if we could, we wouldn't be having this discussion. In the extreme case where we take absolutely every possible preventative security measure, logically, the only attacks that can succeed are those that we didn't know about, that we did not foresee, and thus that we could not prevent against. In those cases, where you're hit by attacks that you didn't know existed, the importance of detection probably rises. In fact, in the case of attacks (and possibly vectors) that you weren't aware of, I would argue that detection can be a prerequisite of prevention. Oh, there are examples where it's not: I can prevent all of the network attacks that I don't know about by unplugging the host from the network. But in the cases where you cannot remove or mitigate the attack vector (eg. because to do so would interfere with availability vs security), it seems to me that prevention needs detection. -- "I don't think they could put him in a mental hospital. On the other hand, if he were already in, I don't think they'd let him out." finger://bigby@home.ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060908101441.V90396>