Wednesday, September 9, 2009

Good vs. Good Enough

I try to read as much as I possibly can every day on the topic of security in general... and add any knowledge or thought to trying to actually solve the bigger picture problems that society is facing. Last night I accidentally saw a post from way back to 2002, which continues to ring true today and so I decided to not only bring it back into the light - but also to continue the discussion.

That post I'm talking about is "Club vs. Lojack Solutions" on a blog titled "Dive into Mark" written by Mark Pilgrim. I got to this blog post because someone going by the handle "Acidus" (hey dude, I've been trying to get a hold of you, answer your email!) posted a comment on RSnake's blog post "Email obfuscation and Spam Robots" (on ha.ckers.org). Anyway, all this is relevant because it goes back to addressing the anti-automation battle that security professionals find themselves in every single day in our daily lives.

That post from back in 2002 (7 years ago, wow) nails what I've been thinking about square between the eyes, and makes the brilliant reference to a comparison between "The Club" (you guys all remember, this, right?) auto theft deterrent device and the "LoJack" automobile location service/device. For those of you too young to remember the commercials for each, I suggest you watch the YouTube videos I linked you to.

So here's the dilemma. If you've got a reasonably high-profile web 2.0 (I'm mainly referring to social media here, since nearly every popular site capitalizes on social media somehow) site you've got the problem of crooks using automation against you to either post millions of comment spams, harvest your user's emails, or create fake accounts... the list goes on and on. You now have to figure out how you're going to stop them. You can either use The Club, or LoJack. Obviously these are metaphors but you'll have to really decide whether you're going to try and defend, or simply react. Let's look at both approaches and see how these can be applied to real-life InfoSecurity-related situations...

Let's assume you are the administrator, or security-person-at-large in charge of protecting a relatively large (1MM+ user base), well-ranked (Alexa Top 250), active site. You are conforming to the "Web 2.0" spirit by making your site highly interactive, while at the same time providing a transaction-based system for commerce and cash-flow generation.

The Club approach...
The main goal of using this approach is to deter the bottom 80% of would-be attackers. You're not going for ultimate security and you realize that your approach puts you at an advantage only until others around you with like sites adopt your techniques. By engaging mechanisms like CAPTCHAs, defensive programming practices (code which looks for signs of tamper and disengages the would-be attacker), and visible signs that you're using under-the-covers security you're hoping to deter would-be attackers. Like the brilliant blog post I cited says... You're not trying to deter someone who's out to hack your site, just someone who wants to hack a site. This makes it such that you're no longer the lowest-hanging fruit and the attacker moves on. Makes sense! Here are some possible ideas to use for this approach:
  • CAPTCHAs where possible (or better yet, reCAPTCHAS since they're not broken by automation, yet, and cost attackers real money to break!)
  • Session rate-limiters which will look at a session and rate-limit how many posts or interactions someone can have from a specific IP address, range, etc
  • Header-based protection such as referrer, user-agent and other types of tracking and blocking... of course this all breaks down as soon as someone realizes that they can change all of the above at will. Again you're blocking the un-sophisticated skiddie (script-kiddie)
  • Hidden-variables within forms can be effective against basic automation attacks, but usually require a simple adjustment of a script to lose all effectiveness
  • Badges such as the "tested and secured by {insert company here}" but be careful not to display worthless badges such as those "HackerSafe" (sorry, McAfee Secured) or "HackerProof" ones out there... those will actually make you targets!
Remember, you're not trying to outrun the bear, just the fellow hiker!

The LoJack approach...
A wise man once told me, "admittance is the first step to recovery"... and with that I think it's appropriate to bring up the LoJack approach. You're not necessarily admitting defeat if you use the LoJack approach but you're simply admitting that odds are, you will be hacked. Rather than expending energy (time + money + resources) trying to deter hackers and would-be marauders you're going to spend time trying to make sure that you know when you've been compromised and can react. Technologies that center around detection and response are most appropriate here. Let's look at the tools and approaches we can use here...
  • Web App Firewalls can be used effectively here because they will act like an alarm (if trained right) to when something has gone awry and is deviating from standard operation of your site
  • Virtual dye-packs are effective if you're an organization which deals with identities, credit cards and the like. You're going to want to slip in an innocuous looking "tracer" data point that when used, will trigger a mechanism which will help locate and root-out the criminal element where it hides.
  • Separation and Isolation... if you haven't fallen victim to the sheep-think cloud mentality yet. Hopefully you can compartmentalized your data and objects such that a compromise in one sector won't necessarily be a catastrophe in another
  • Trip-wire type sensors and alerting... for when systems start to behave abnormally, or begin to exhibit strange patterns of behavior...
You're working against the determined attacker here. You're working against someone who doesn't just want to hack a web site... they want to attack your web site and steal your goodies. We've all said it before, you're not going to stop the determined attacker... but you can make damn sure you know when they've struck.

Some interesting approaches, ringing back from 2002, and just as true today. The crazy thing is, we're perpetually locked into a death-struggle with the hacker kind. We're stuck in an arms race where we build a better mousetrap, and the hacker/mouse simply adapts and gets smarter to overcome our measure. There is no winning this battle, the "good guys" simply have too much surface area to cover so that leave you having to choose... the Club, or LoJack... your call.

So I will bring this all back to a central theme here, what's "good" versus "good enough". What are you trying to do in your security strategy? Are you trying to ensure that you're beating the 80% of skiddies who are going to scan your site and be loud? ... or are you defending yourself against someone who actually will "go in like a super-hacker" (sorry Russ, I couldn't resist) and admit front-line defeat up-front?

Strategies must be adapted in this continuing race to outsmart an element that's better equipped, has more time, has more opportunity and more room for error than us "good guys". What's good for you, may not be good enough for others. Sometimes, "good enough" simply isn't - and you must see that writing on the wall too. So the next time you're sitting and looking at the design specification for a web-based piece of architecture... ask yourself what's good, and what will be good enough.

Good luck.

No comments:

Google+