[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3af3d47c1002120754n732d78aaud84417c8541909@mail.gmail.com>
Date: Fri, 12 Feb 2010 16:54:48 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: "McGhee, Eddie" <Eddie.McGhee@....com>,
craig.wright@...ormation-defense.com,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
security-basics@...urityfocus.com,
"Thor \(Hammer of God\)" <Thor@...merofgod.com>
Subject: Re: Risk measurements
-"The problem is that you can't *guarantee* correct function. You *know* the
damn thing will escape with bugs, no matter how hard you try. The question
is how damaging the bugs are, and how much you want to spend preventing
the bugs *through the entire life cycle - design, development, and deployed*."
And who do you know what the bugs are? Risk modeling cannot solve this
kind of issue. Vulnerabilities aren't intentional.
It isn't intentional that I could piggyback a particular process and
get kernel access. Since vulnerabilities are based on exceptions, how
do you know that this kind of exception occurs?
Again, mathematics lose ground here.
-"It's like buying insurance (in fact, it's *exactly* like buying insurance)."
Very true, *buying* insurance. However, it doesn't come with insurance...
The probability in risk management is mostly impossible since because
of the human factor, the least probability possible (fatal bugs) tend
to surface pretty fast.
-"Unfortunately, you'll need to do some risk modeling to figure out
what "reasonable bounds" is for each piece of information."
Wait, so I need to do risk modeling to quantify the risks of
information/results of a risk assesment on software? Sounds like
beauroucracy to me (pun intended).
I see the reason behind risk management, but I don't see it being
usefull except in policy-making.
On Fri, Feb 12, 2010 at 4:30 PM, <Valdis.Kletnieks@...edu> wrote:
> On Fri, 12 Feb 2010 14:37:25 +0100, Christian Sciberras said:
>> Let's presume 100k was spent on risk modeling, which actually is way
>> less then the norm, where was the gain again?
>
> Citation for "less than the norm", please? I've participated in lots of risk
> modeling sessions that cost *way* less than $100K - often, all that's needed is
> get the right 5-6 people in a conference room for an hour or two with a
> whiteboard, discuss "what's our exposure here?" and "What can we do about it?".
>
> If you're spending $100K on *modelling* it, then it's probably a bigger ticket
> issue. So let's pull some *more* "obviously arbitrary numbers out of the air
> to illustrate the point". So make it $7.5M to fix, and $5M if you get hacked.
> Better?
>
>> Why exactly does the flaws have to be fixed economically instead of
>> designing the system correctly in the first place?
>
> Quite often, those risk and threat assessments *are* part of designing it
> correctly in the first place. Does the design need to include $5M in the
> budget to roll out crypto hardware? If your analysis shows that your average
> loss due to just using OpenSSL for free will only be $100K, that $5M is
> wasteful bloat. If it's a TJX-scale exposure, $5M is probably a bargain.
>
>> And on this same argument, why spend a huge amount of time (money and
>> resources) *guessing flaws* rather then correct system function?
>
> The problem is that you can't *guarantee* correct function. You *know* the
> damn thing will escape with bugs, no matter how hard you try. The question
> is how damaging the bugs are, and how much you want to spend preventing
> the bugs *through the entire life cycle - design, development, and deployed*.
>
>> "why are you spending $250,000 extra to fix the flaw?"
>> Because the estimate is abviously wrong. You cannot predict the full
>> outcome which brings the sum from the least possible number up to
>> infinitum.
>
> Well, yeah. I suppose it's *possible* that your system's weak password system
> will allow a hacker to get in, and from your system hack into the LHC and
> control it to spawn a black hole that eats the Earth. And even that is
> still a finite, not "infinitum".
>
> It's also pretty fucking unlikely. Most of the time, the analysis sticks to
> reasonably predictable outcomes - the cost of a critical server being down for
> X number of days, the cost of penalties/fines/lawsuits if there's an exposure,
> the cost of bad PR, etc. At some point, you have to forget about the
> movie-plot scenarios and restrict yourself to the shit that actually happens in
> real life. If a given result hasn't been reported in the trade press in the
> last 5 years, you can probably not worry about it.
>
>> For instance, let's imagine a flaw in your favourite OS happens to
>> allow any hacker backdoor access to it, there's the possibility of it
>> being covered up neatly, with just paying your developers OR getting a
>> nice load of media hype and pay dearly with losing your customers.
>
> It's like buying insurance (in fact, it's *exactly* like buying insurance).
> You can usually buy different levels of coverage, for different premium
> payments. Do you just buy the legal minimum you need for car insurance?
> Or do you spend another $10/month for an additional $1M of liability
> insurance? Or $20/mo for $2M? Same for your home/renter insurance. If
> you have a mortgage, you may be required to buy a certain amount. If you
> want more coverage, you have to decide how much to spend, to cover what
> threats. If you live in a flood plain, you might want to pay extra for
> flood insurance. You live someplace that has no history of flooding and
> not much chance of it changing, maybe save the money.
>
> Why do people understand how buying insurance works, but have trouble
> understanding that security is the same sort of trade-offs? In both
> cases, it's the same sort of risk modeling and analysis.
>
>> Personally, I'd rather not do risk modeling at all, or at least, keep
>> the information within reasonable bounds rather then let it reign my
>> (hypotethical) company.
>
> Unfortunately, you'll need to do some risk modeling to figure out what
> "reasonable bounds" is for each piece of information. Some is OK to go
> on your public webpages, some goes on protected webpages only, some is
> only allowed on employee's workstations, some is only allowed in certain
> departments - and maybe you have some data that should stay on stand-alone
> machines in highly secured areas, with armed guards searching for USB keys
> and the like. But you'll need to do some risk analysis and modeling to
> decide which data is in which category.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists