The author argues that information security should focus much more on software-based attack vectors, instead of concentrating on network and operating system attacks.
If you are an old school hacker or old school security professional, I'm going to be upfront with you. Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking. Defense in depth is deceased since the nineties and it will never come back. The Internet is operated with knowledge that stems from the late eighties and nineties. All you learned about the Internet from the seventies 'till the late two thousandths is dead. It is no longer the landscape we work on. It is no longer the Internet of today, it is certainly not the Internet of tomorrow. It belongs into history books and nothing more. It is crucial to understand this. If we do not agree, the security field stays behind the facts of today.
Source: http://www.0x000000.com/?i=536
"Today everything is software, even in the form of virtual hardware" is a very accurate observation. "Security appliances", such as Cisco system's MARS platform, or really self-contained Linux machines with Oracle
10 and other proprietary software on the inside. Many security
administrators are aware of the fact that most Oracle installation are
behind on patches, and Oracle itself only releases patches four times a
year. Yet we choose appliances that rely on invisible software for our critical security operations.
"If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer." And that is exactly the level at which most of us are not very good. I sometimes dabble a little in scripting myself, and I was recently notified that one of my code fragments was potentially vulnerable to an SQL-injection type of attack. I know what those attacks are, what causes them, and what effect they can have. Yet, security-conscious as I am, I missed this one.
I think it is safe to assume that most developer still as insufficiently aware of this type of problems. SQL-injection, cross-site scripting, cross-site request forgery, etc., are all known attack vectors and well documented. Yet, I venture to state that very few applications exist that are immune to them.
When thinking of the six steps of incident response (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned), it is time that we start building our applications to facilitate them. Prepare by building good code, and code that produces adequate, and reliable logging. Identify attacks by closely monitoring the way your applications behave, including the logging they produce.
Analyze the logging with automated tools, and ensure that the logging stored appropriately and in line with an existing log retention policy. Don't forget to protect the logging at the same level as the application it produces; like backups, logging may contain very interesting facts that may just give an attacker enough information to exploit your system.
"If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer." And that is exactly the level at which most of us are not very good. I sometimes dabble a little in scripting myself, and I was recently notified that one of my code fragments was potentially vulnerable to an SQL-injection type of attack. I know what those attacks are, what causes them, and what effect they can have. Yet, security-conscious as I am, I missed this one.
I think it is safe to assume that most developer still as insufficiently aware of this type of problems. SQL-injection, cross-site scripting, cross-site request forgery, etc., are all known attack vectors and well documented. Yet, I venture to state that very few applications exist that are immune to them.
When thinking of the six steps of incident response (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned), it is time that we start building our applications to facilitate them. Prepare by building good code, and code that produces adequate, and reliable logging. Identify attacks by closely monitoring the way your applications behave, including the logging they produce.
Analyze the logging with automated tools, and ensure that the logging stored appropriately and in line with an existing log retention policy. Don't forget to protect the logging at the same level as the application it produces; like backups, logging may contain very interesting facts that may just give an attacker enough information to exploit your system.
Kees,
"Today everything is software, even in the form of virtual hardware"
:) well it has been always about software. I don't quite understand what Ronald is trying to say and therefore I cannot agree. "Telneting into a box" - is still dealing with software. Ronald argues that most security problems are due to problems in software (input validation) and this is supposedly the NEW-school of hacking as he refers to but from my experience I must say that a lot of organizations get hacked because of insecure design, and poor/insecure configuration of their networks, appliances and clients. And this comes from my hands on experience.
So, I believe that his post is mostly targeted to be inspirational and emotional then accurate.
pdp | GNUCITIZEN | Hakiri
True-- when looking at the statement from an engineer's point of view, just about everything higher than the physical layer is software. Some might even argue that the physical layer itself might qualify as that.
For most users however, everything below layer 7 (application layer) is considered part of the hardware, or at the very least, as part of the operating system.
I think the point that Ronald is trying to make is that attacks are mostly focused on software that lives in user-space, and does not require system privs. I could be wrong :) Why attack using very complicated malformed and obscurely fragmented packets when you can just do a simple SQL injection and get right to the data that you're after?