A question
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: A question

  1. #1

    A question

    Which would you label as "more secure"?

    A) A system with deep, critical vulnerabilites.
    B) A system with less critical vulnerabilities, but being actively exploited by worms or tools.

    Which is more important in evaluating security? Potential for loss, or potential for attack?

    I'm looking for a outline of the dread model as well as any other models to put a number on this scenario, any suggestions would be appreciated.

    Thanks!

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    I don't think you've given the mentat enough data to compute.

    Obviously, "more secure" is a relative statement. I guess the best way to approach this is to go macro...in and of itself, I think both are equally (in)secure.

    An actively attacked external server is bad.
    An actively attacked internal server is worse (since once it is owned, its already inside your perimeter/DMZ).
    An unpatched internal server is bad.
    An unpatched external server is perfectly safe...just let me know where it is and I'll take care of the rest.

    Seriously, It's pretty relative. Many folks will say the actively attacked server is better (if the attacks aren't successful) because you KNOW what's going on.

    This is a good question to ask (if enough people will answer seriously), but I wouldn't expect many definitive answers...it's all pretty much opion-based...and everyones got one.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    At present B is already infected so it is less secure. Chances are pretty good that A will end up worse eventually.

    B may also be your best bet for evaluation as it will probably better simulate systems in the field, most have a half assed attempt at patching etc.

    It's like asking if you want to get hit with a 5 lb hammer once or a 1 pound hammer 5 times.
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  4. #4
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    IMHO they both hold an equal threat -

    Less critical but actively attacked == high annoyance factor.

    More critical but buried deep == potential for huge damage but lower annoyance since the skiddies are not in this particular equation.

    Either one carries a solid cost in both time and resources - for number one the process of patching the hole, installing detection/protection software, and educating end (l)users specifically to guard against the issue, for number two the process of repairing whatever system damage is done when you are (and you will be eventually) hit, then the patching, etc...
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I would hazard a guess and only a guess that a system under attack, would be more secure than a system not under attack. Purely on the basis that ones defences would be at their most effective .

    In the scinario you have used, knowing the problems, would put once defences on alert and so increase there effectivenes anyway.

    There must be a mathamatical solution to your question though
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Coming from a person with no computer knowledge...well...very little...logically, your question being taken at face value, then A would be more secure in that, although being critically vunerable, it is not under attack, therefore, is more secure...because, at face value, you do not say it will be attacked, it's just vunerable...therefore secure.

    In answer to your second question...that would be B...at face value.

  7. #7
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Coming from a person with no computer knowledge...well...very little...logically, your question being taken at face value, then A would be more secure in that, although being critically vunerable, it is not under attack, therefore, is more secure...because, at face value, you do not say it will be attacked, it's just vunerable...therefore secure.
    That does seem to make cense, however I read some time ago, that during the Blitz of London during WW2 there was no cases of the flue or colds............The argument was that due to the stress of living in constant fear the bodies imune system went into overdrive. Perhaps the same is true of computer systems??????
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  8. #8
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    If you look at it from a security standpoint but replace computer security with home security...

    Obviously...the home with unlocked doors and open windows ( very critical but not under attack) is more secure than the house with only one open small upstairs bathroom window ( less critical but under attack ) but has a burgalar ( hacker ), a jewel thief ( spyware ), a sqwatter ( trojan ), and a serial killer ( virus )crawling in that window.

    Just a different look at the same question.




    jinxy...I hope they make a computer one day that reacts like our immune sysyem.

  9. #9
    Senior Member Kite's Avatar
    Join Date
    Jan 2005
    Location
    Underground Bunker, somewhere in Antarctica
    Posts
    109
    That question is kind of like someone asking what kind of bullets you would like to be shot at with. Either way you are screwed.
    I know your type, you think "I'll just get me a costume, rip off the neighborhood kids". Next thing you know, you've got a jet shaped like a skull with lasers on the front!
    -The Monarch.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The question asked is:-

    Which is more important in evaluating security? Potential for loss, or potential for attack?
    The potential for attack is really irrelevant in philosophical terms but the potential for loss is the basis of security. Give me a tank and a country full of people armed only with bows and arrows and I can quite happily drive right across their country without fear of loss..... I will, of course, be attacked by everyone I meet.

    The potential for loss is what a risk assessment is designed to delineate. From there you decide whether you need a pinto or an Abrams. The risk assessment should indicate the potential level of loss and that will determine the steps required to test and secure.

    So the issue of a deep critical vulnerability versus a number of less critical vulnerabilities should be irrelevant.... However, one could say that, since you don't know all the vulnerabilities in the code of your publicly available services, then the question is still relevant. It's not... If the risk assessment indicates the complete and utter loss of your business with the resulting lawsuits draining any profit you once made to zero then there isn't really any point in going into business unless you decide to call the company Enron II.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •