[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Pudent default security

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Re: Pudent default security
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Sun, 28 Sep 2003 22:20:10 -0500

--On Sunday, September 28, 2003 10:20 PM -0400 "security@xxxxxxxxxxx" <security@xxxxxxxxxxx> wrote:

I would add yet another take on this.

[sniipped a lot of good thinking]


I think that the problem is not the protocol or the application. It is a
fundamental lack of understanding of the security model and the network
as a whole.

Yes, that is what I was trying to say, however lamely. The preponderance of discussions and papers on security today focus on the network and how to control the flow of data/packets. But in the final analysis, the problems always come down to the individual machine, be it server or workstation. Why aren't security ideas focusing on that problem primarily? Oh, we all know you shouldn't run unnecessary services, but that's about as far as the wisdom goes.

SANS has made some efforts in this area with their best practices documents, but where is the software development to address it? The Bastille is about the only thing I can think of off the top of my head that even attempts to address this area. The OS vendors are beginning to come around to the off-by-default model (slowly), but protecting what *must* be on (such as CIFS, SMB, NFS) is still a laborious (or outrageously expensive) process when you're trying to do it on an enterprise level.

IMO the vendors should be providing these types of tools as an integral part of the OS in addition to shipping in an off-by-default model. It should be trivial to "do security" in an OS. (It still blows my mind that every WinXP box comes with UPnP on by default. RPC I can *almost* understand, but UPnP???) I'm saying we need a paradigm shift in *thinking* about how an OS should be configured out of the box *and* a paradigm shift in the ease of configuration on an enterprise level.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Pudent default security
  - From: Jay Sulzberger
- Re: [Full-Disclosure] Re: Pudent default security
  - From: Shannon Johnston

References:
- RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Rick Kingslan
- RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Curt Purdy
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Florian Weimer
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Karl DeBisschop
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Paul Schmehl
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Michal Zalewski
- [Full-Disclosure] Pudent default security - Was: CyberInsecurity: The cost of Monopoly
  - From: security@xxxxxxxxxxx

Prev by Date: [Full-Disclosure] Pudent default security - Was: CyberInsecurity: The cost of Monopoly
Next by Date: Re: [Full-Disclosure] Re: Pudent default security
Previous by thread: [Full-Disclosure] Pudent default security - Was: CyberInsecurity: The cost of Monopoly
Next by thread: Re: [Full-Disclosure] Re: Pudent default security
Index(es):
- Date
- Thread