lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 27 Sep 2006 07:32:57 -0400
From: "Kenneth F. Belva" <ken@...security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rothman: Belva's a Joker (was Could InfoSec
	beWorse than Death?)

Tom,

No I don't mind answering your objections. I find this debate very 
healthy and it helps me to further clarify these ideas. After all, I am 
the challenger to a very entrenched perspective (loss prevention). I'd 
better be able to discuss the differences to people's satisfaction.

Your example is excellent. I think it really gets to the heart of the 
matter. I'm going to paste something from an earlier thread and then 
extrapolate that in contrast to your objections.

 >> The information security mechanisms are a necessary but not sufficient
 >> condition to create these new assets. The loss prevention model 
shows how
 >> this necessary condition breaks down and what we can do to stop the
 >> breakdown. The virtual trust model says that once we have this necessary
 >> condition, here are the things we may do with it. The focus is 
different.


 >In my mind, both the Loss Prevention and Virtual Trust paradigm focus 
 >on the delivery condition (the bikes being functional), the only 
 >difference being that the Virtual Trust paradigm would advocate the 
 >active servicing of bikes (the security of the delivery mechanism) on 
 >the basis that this would establish more "Trust" with customers 
 >(they're guaranteed to get their paper) as opposed to just actively 
 >servicing the bikes as part of a standard working practice.

While I think this is an excellent comparison, there are certain aspects 
of this comparison that I do not like but I will go with it for now 
because I think it will help clarify things. (My main objections are 
that it is a physical and not an electronic example. This may cause 
confusion later.)

The loss prevention model focuses on the servicing model that you cite. 
For example, vulnerability assessments, change control, following 
existing policy and procedures are examples of maintaining the bikes. 
Anti-virus, IPS/IDS, firewalls are bikes but are only meant to prevent 
loss. I take it that this will not be objected to.

So what's the difference between loss prevention and VT. It's this. What 
security mechanisms would allow us to create bikes? And when we have our 
bikes, what can we do with them? Well, we need a bike with such and such 
tire size, a bike that has a soft seat for those long rides, etc. Once 
we have established the bike and it's properties, we can expand our 
routes to cover different markets, we can deliver different print 
content than simply newspapers, we could sell/offer different services 
as well as newspaper delivery (bill payment), etc. [If you are really 
going for the jugular you will note that I did not mention any security 
mechanisms. That's because this is where I think the example breaks down 
between physical and electronic means. Generally one should be able to 
take the underlying concepts and apply them, which I do next paragraph.]

So, we can use authentication to identify someone (a bike). It's a 
security mechanism. Once we have this ability, what can we do with it? 
Well, we can create credit card products (it's electronic), EasyPass, 
Pay-per-click advertising, etc. We can create new revenue streams and 
cash flow using this methodology. (I should note that the pay-per-click 
example is Brian Eaton's. I was psyched when I saw it!)

We never mention loss in the authentication example. It's not about 
making sure that our authentication mechanism works properly (checking 
for SQL injection) or maintaining it. We could (and should) understand 
loss prevention in terms of VT. But that's not my focus right here and now.

In the first example, we understand the loss prevention and a necessary 
means for maintaining the trust. Keeping the bikes maintained so we can 
keep our routes established. In the VT model, we how do we establish the 
trust so we can do things with that trust. How do we establish the route 
itself and how do we create the bikes? Once these things are 
established, what can we do with our bikes and routes? Selecting the 
right security mechanism and its purpose(s) are our objective in the VT 
model.

As my co-author Sam mentioned to me the other day, not every security 
mechanism is in the VT enablement toolkit. So, a firewall will not be in 
the VT enablement toolkit. It helps to get to that baseline level of 
trust, but it does not function in a way that is useful to the creation 
of new assets.

I'd like to reiterate the quote at the beginning. Loss prevention is the 
  maintenance of the necessary condition of trust. VT is establishing 
that trust and then doing something with it.

There is often a mistake in asking security to be a sufficient condition 
to generate revenue. In other words, how can our IPS device all by 
itself bring us revenue. Well, it can't. And, I'm not claiming that. I 
am claiming that security is one of the essential components (necessary) 
for the creation of electronic business. I think that authentication and 
DRM are two excellent examples of this. iTunes, EasyPass, etc. are great 
real world examples of VT.

I hope that clarifies a few things and answers your excellent 
objections. Feel free to write anytime.

Ken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists