18 June 2005
[I'm starting to get a fair amount of feedback from OU staff and students. It seems that my pages discussing OU courses all currently outperform the Open University's own pages in Google. Oops. I didn't intend to speak this loudly. Mmm, Google-juice...]
The chair of the OU M886 security course found my earlier comments and asked for suggestions for improvements. My suggestion is to re-examine the concept of separation.
Many disciplines suffer from "Physics envy". In the physical sciences one quickly learns that breaking a problem down to its simplest levels makes things consistent and predictable. When analysing how a car crashes, one first studies how metal deforms, now glass breaks, and how tires skid. Add all the pieces together, and one gets the whole picture.
This security course attempts the same thing. In order to deal with an organisation's security, each threat is identified, assessed, and (optionally) treated. Since one can never treat every possible threat (are you prepared for exploding pigeons?), the threat assessment step is key to evaluating what must be treated and what is too trivial or unlikely.
Individually assessing each threat works -- as long as the threats are individual. Separation of all systems is assumed. But in the real world this separation is often an illusion. It is common for white-hatters to claim that if the public web site and the internal systems are on separate servers, then an attack on one would not compromise the other. As any competent black-hatter knows, that kind of thinking works in their favour.
Let's assume that one has just compromised a server. Let us count some of the ways by which one could leverage that exploit in order to obtain access to a related server.
This is the fundamental fact which the course misses: Crackers work by using each exploit as leverage for the next. The first exploit may be minor and of no significant consequence. As might the second exploit. Combined, they may allow the cracker to open a third exploit, one which was determined to be too improbable to be worth treating. Next, the cracker moves on to exploits which aren't even listed in the security management plan.
A few years ago a co-worker and I noticed an utterly trivial error in a guestbook. Not too long after we had root access (penetration testing is part of the job[?]). All done one very small step at a time. That incident taught me that separation of systems and inside defences aren't worth much. It is all about getting that first toehold, that first nearly worthless exploit. The rest is just a matter of time and patience.
Dr. Hall replies:
If the course 'M101: How to defeat the gifted hacker' missed this, it would be a real problem. But M886: Information Security Management doesn't miss this at all, it intentionally omits it. The course is about normal design for security and most attacks do not come from gifted, original hackers, i.e., they do not need to be handled by radical design practices. Most attacks come from those sitting on the shoulders of these hacking giants: they do not have the gifts the giants have, nor the ability to reason in the way giants do. For every giant there are a million script-kiddies. Against script kiddies, Information Security Management provides fit-for-purpose solutions.
I guess I was expecting that a post-graduate security course would be able to handle more than just script-kiddies.