- Prcis
- Special Points of Interest
- Present Attempts Have Failed (Present Modeling)
- We Don't Understand Why
- We Continue to Use Old Thinking
- Define Network as Control Problem
- Identifying Control Nodes
- Completing the Picture
- Key Points
Present Attempts Have Failed (Present Modeling)
Many security-modeling tools are on the market, and it would be easy to spend a week listening to salespeople tell you how well their products work. These tools talk about "risk" and measure it as a product of endpoint vulnerability and the availability of a suitable exploit. If you have a vulnerability, and you have a way to exploit it, you have a risk that someone will use the exploit on your system. The message here is that if you eliminate the vulnerabilities on your network, you will be secure.
If you think about it, that's not a bad way of attacking the problem if all you're interested in is removing the known vulnerabilities from your network. Many networks can operate this way because they're essentially "open" in the sense that no private data is being loaded on them and anyone can use their resources. The main concern is to keep them up and functional. Public libraries and universities operate in this mode, with the main difference being that a library owns the endpoints and a university hosts its students' endpoints.
In the library, the users browse the Internet or do research. Some systems allow the use of office tools such as word processors and spreadsheets, but you use them at your own risk (because you'll be leaving a copy of your data somewhere on the system). I wouldn't be comfortable working on my diary at the local public library. To ensure that they're as available as possible, libraries lock down their systems to the point where the user is unable to make any changes to the system at all. Users are not allowed to install software, remove software, and in some jurisdictions, browse to some sites on the Internet. I see this same type of installation at airports that have made computers available to pilots for flight planning.
At the other end of the spectrum, universities are not concerned with the security of the endpoint per se. Their concern comes from their charter regarding the network and their service level agreement with the students. The university's mission is to provide a reliable network service to their users, and because the university doesn't control the endpoint, they need a different way of managing the connections. They register users and the machine address that they're working from. When they detect that a specific machine address is abusing the system, they cut it off.
The problem with this kind of an approach in a corporate environment is that it's not practical to rely solely on vulnerability management. There are other threats to your network, such as trusted systems doing untrustworthy things.