Where the threats lie

One of the things that’s been running through my head the past few days is that your data is actually safer “in the cloud.” Charles Johnson over at Little Green Footballs spoke to it when discussing Eddie’s disclosure of protected information to puppetmaster Glenn Greenwald.

I’m reminded of the abject shock and horror one of my former managers had when he found out I could have read any of his emails if I’d wanted to. Aside from the facts that a) I didn’t have time to do that, and b) I didn’t have context for many of them to understand them, I mainly didn’t read them because I really didn’t care to. You are worried about getting a gift for Stacy’s baby shower Thursday? Susan totally botched her sales presentation to Jones and Company?

I. Don’t. Care.

Neither does Google.
Neither does Microsoft.
Neither does Rackspace.
Neither does AT&T.
Neither does Verizon.
Neither does Cox.
Neither does Facebook, even though they might brighten Carol’s newsfeed after Susan totally blew that opportunity. (Here’s a hint, Facebook, Carol really likes videos with cats.  She could use a few extra this week, and maybe some dating prospects, as she’s insanely jealous that Stacy’s getting all the attention just because she got some action.)

Neither, probably, does Jason your Ops Guy. He’s just between modules on that vendor training you paid for, and there’s nothing interesting on Reddit, so time to snoop.

The NSA doesn’t really care about much of it, either. None of what they collected got released until Eddie stole the data from the NSA, and gave it to his buddy Glenn.

Maybe ultimately the weak spots are Jason and Eddie?

Only so many spoons

Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.

Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snowmageddonpacolypsewhatever).

When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.

Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.

So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.

Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.

Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.

As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.

The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).

What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?

Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.

I wish I had more math skills to write a nasty-looking equation for all this. *sigh*

But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.