On Wed, 6 Sep 2006, Travis H. wrote:
``You do not want to overbuild your security or you will interfere
with the detection side, and detection is one of the single most
important aspects of any security mechanism. For example, it makes
little sense to set the schg flag (see chflags(1)) on every system
binary because while this may temporarily protect the binaries, it
prevents an attacker who has broken in from making an easily
detectable change that may result in your security mechanisms not
detecting the attacker at all.''
Wouldn't it be better to detect /and/ prevent an attempt to change the system
binaries?
That's how I interpret that passage from the handbook - that you should
detect *and* prevent. I'm not clear on how anyone is interpreting that
passage to suggest that unequal weight should be given to one side or the
other (detection vs. prevention). The above passage all but says, "don't
do X because that will interfere with Y." I just don't see that advice as
advocating imbalance.
It seems to me that advising people to focus on detection rather than
prevention is wrong-headed. What are you going to do after you detect
the attacker? If it's not "prevent him from doing anything", then I
question the intelligence of this approach.
I find that extreme examples are good at illustrating points.
I think that everyone can agree that we cannot prevent 100% of attacks; if
we could, we wouldn't be having this discussion. In the extreme case
where we take absolutely every possible preventative security measure,
logically, the only attacks that can succeed are those that we didn't know
about, that we did not foresee, and thus that we could not prevent
against.
In those cases, where you're hit by attacks that you didn't know existed,
the importance of detection probably rises. In fact, in the case of
attacks (and possibly vectors) that you weren't aware of, I would argue
that detection can be a prerequisite of prevention. Oh, there are
examples where it's not: I can prevent all of the network attacks that I
don't know about by unplugging the host from the network. But in the
cases where you cannot remove or mitigate the attack vector (eg. because
to do so would interfere with availability vs security), it seems to me
that prevention needs detection.
--
"I don't think they could put him in a mental hospital. On the other
hand, if he were already in, I don't think they'd let him out."
finger://[EMAIL PROTECTED]
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
