Comments on: Linus Torvalds: Security a matter of opinion http://www.bloginfosec.com/2007/10/03/linus-torvalds-security-a-matter-of-opinion/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Kenneth F. Belva http://www.bloginfosec.com/2007/10/03/linus-torvalds-security-a-matter-of-opinion/comment-page-1/#comment-128 Kenneth F. Belva Sat, 13 Oct 2007 12:19:40 +0000 http://www.bloginfosec.com/2007/10/03/linus-torvalds-security-a-matter-of-opinion/#comment-128 Hi Dave, While there are certainly ways to quantify metrics (see <a href="http://www.securitymetrics.org" target="_blank" rel="nofollow">here</a> and <a href="http://www.bloginfosec.com/2006/11/21/improving-your-security-posture-the-citibank-scorecard/" target="_blank" rel="nofollow">here</a>), you're correct that this is generally a problem in today's environments. Regarding zero days and standards/practices: one hopes that one has enough layers in place to prevent most zero day attacks: IPS / Firewall / DMZ / *EndPoint* Security would do a very good job of reducing many _generic_ zero day attacks. (Note that while endpoint security is important here and could prevent many 0-day attacks against workstations, this would not be true of of other assets, such as web apps.) Thanks for reading and for a thoughtful reply. Hi Dave,

While there are certainly ways to quantify metrics (see here and here), you’re correct that this is generally a problem in today’s environments.

Regarding zero days and standards/practices: one hopes that one has enough layers in place to prevent most zero day attacks: IPS / Firewall / DMZ / *EndPoint* Security would do a very good job of reducing many _generic_ zero day attacks. (Note that while endpoint security is important here and could prevent many 0-day attacks against workstations, this would not be true of of other assets, such as web apps.)

Thanks for reading and for a thoughtful reply.

]]> By: David Funk http://www.bloginfosec.com/2007/10/03/linus-torvalds-security-a-matter-of-opinion/comment-page-1/#comment-127 David Funk Thu, 11 Oct 2007 16:22:54 +0000 http://www.bloginfosec.com/2007/10/03/linus-torvalds-security-a-matter-of-opinion/#comment-127 I think that I agree with Linus a bit more than you. In your disagreements: 1) Information Security has known testing methods. Which are basically broken down into compliance testing, where the linkage to security is indirect at best and insignificant at worst (FISMA); and pen testing, which directly measures results, but we're a few years away from getting quantitave metrics from results. 2) Information Security has metrics that can be applied to help understand risk. Problem is, Linus talked about quantification. Yes todays metrics help to understand risk, but today it requires a priest of Delphi to understand it. Linus (and I, and my CIO, and a lot of people) would like meaningful, reliable numbers. The only reliable metric that I know of is 'what has been an organization's history with computer related incidents, and what is that organizations's environment?' Obviously the 'reliable' part is all bound up in how good that they are watching (assuming that they are telling you the truth!) The US Army has had some real problems with the Red Army, but they are being actively hacked by a pretty large, well organized, state-sponsored group. The VA has had some problems, but they operate in a low to moderate threat environment. I can make conclusions based on this data. But, I which I had some numbers that were worth more than the FISMA report card. 3)Our field has standards as well as generally accepted principles and pratices. which your agreement #3 largely negates. Standards and accepted practices are obviously the foundation, the bedrock to build a security program on. However, a successful program is one where the people and procedures respond to changes in the environment. If all your systems are up to standards and fully patched, but when a zero day exploit surfaces, your are unable to match it, you are vulnerable. Only thing that you got from the effort at standards and pratices is you know (maybe) that you got hit. Frankly, if all it took was standards and pratices, I wouldn't find computer security very interesting. P.S. Thanks for an interesting blog. Dave Funk I think that I agree with Linus a bit more than you. In your disagreements:
1) Information Security has known testing methods.
Which are basically broken down into compliance testing, where the linkage to security is indirect at best and insignificant at worst (FISMA); and pen testing, which directly measures results, but we’re a few years away from getting quantitave metrics from results.
2) Information Security has metrics that can be applied to help understand risk.
Problem is, Linus talked about quantification. Yes todays metrics help to understand risk, but today it requires a priest of Delphi to understand it. Linus (and I, and my CIO, and a lot of people) would like meaningful, reliable numbers. The only reliable metric that I know of is ‘what has been an organization’s history with computer related incidents, and what is that organizations’s environment?’ Obviously the ‘reliable’ part is all bound up in how good that they are watching (assuming that they are telling you the truth!) The US Army has had some real problems with the Red Army, but they are being actively hacked by a pretty large, well organized, state-sponsored group. The VA has had some problems, but they operate in a low to moderate threat environment. I can make conclusions based on this data. But, I which I had some numbers that were worth more than the FISMA report card.
3)Our field has standards as well as generally accepted principles and pratices.
which your agreement #3 largely negates. Standards and accepted practices are obviously the foundation, the bedrock to build a security program on. However, a successful program is one where the people and procedures respond to changes in the environment. If all your systems are up to standards and fully patched, but when a zero day exploit surfaces, your are unable to match it, you are vulnerable. Only thing that you got from the effort at standards and pratices is you know (maybe) that you got hit.
Frankly, if all it took was standards and pratices, I wouldn’t find computer security very interesting.

P.S. Thanks for an interesting blog.

Dave Funk

]]>