mental characteristics of security

let's suppose you had to employ someone to protect your data, network, infrastructure, etc.

you have narrowed it down to two candidates and both have roughly the same level of experience and background, and both are easy fits into the organizational community. the only distinguishing factor between the two is that candidate A tends to omit factors of threat logically, based on circumstantial evidence that applies to the current environment. while candidate B only discounts the possibility. who wins in your book -and- why?

i guess i've heard too many {"no, this can't be done", "that is impossible"} type answers given to legitimate questions both here at AO and in the real world...and as always, i am confused about where they are coming from; and even moreso why they are supported. i'm not bitching or pointing fingers (most of it isn't even related to AO responses in particular) - just curious about the justification behind the elimination methodology.

Quote:

---

just curious about the justification behind the elimination methodology.

---

There are 3 people in 1 house.
Person A is in kitchen
Person B is in kitchen
Person C is locked in the basement and doesn't have the key to get out.
Person A is killed

Who did it?

Obviously Person B. Why, because Person C was in the basement......elimination methodolgoy. If something can NOT be done, then don't consider it....

i understand the basic principle - we apply it every day...but in security when we rule out possibilities, doesn't it make sense that some things become more dangerous because they're not considered or overlooked? it's this type of thinking that perpetuates the exploit and catch-up game that the ummm. bad guys are consistently winning.

for instance, i've heard from several sources here describing how spoofing full tcp communications isn't possible - or if it is then it's not considered spoofing. i won't draw a diagram, yet again...but it's the farthest thing from the truth. or that certain encryptions schemes can't be cracked. or that man-in-the-middle attacks don't work against SSL or any other type of certificate based security protocol.

another recent event that illustrates my point to a 'T', is apache and ISS's approach regarding the chunked encoding vulnerability. even though the evidence was clear (ala monkey.org's tamperings) - the information released was that it was only a threat to certain systems (64bit) - and that in all other cases the vulnerability would result in typical DOS characteristics.

i get it day in and day out from the security administrative side - and yet i and others prove them wrong on a continuous basis only to walk into work the next day and have them make the same claims with some other piece of the puzzle. definitive statement's at best hold temporary truths.

without much detail with regard to your analogy...i'll do my best:
was C always locked in the basement?
were A and B always in the kitchen?
which side did the lock face?
who else had keys?
what tools if any existed in the basement?
were there any other means of escape outside of the locked door?
is the room soundproof?
is the locked door at the top or the bottom of the stairs?
how much of a gap exists at the base of the door?
is it large enough to fit a key through? what about a peashooter? or dart-gun?
what is the relationship between A and B, A and C, and B and C

these are the types of questions i would want asked rather than assuming the "obvious".

as opposed as my views are, i'm not really against you, here souleman - i'm just trying to gain a better understanding of what i'm guessing is a consensus amongst sec admins. and at the same time offer my own view on security approach.

I simply believe that both methods come down to assumed preceptions. Neither is right nor wrong. One may start out through expierence use elimination methodology, it is based upon training, edu, and real world living and even the personal baggage a person may carry. Then we come to discounts the possibility, again the same factor assume that through your knowledge that the other factors you stated. A person at 25 precieves a world different that I say at 50. I simply believe one must employ both in security, and after you look at things it comes down to the nature of the person that may be a threat. Assume you have a goose in a bottle and you must remove it without breaking the bottle or hurting the goose. How do you get the goose out? This can be solved it is a question of assumptions and logic :)

If I had to hire someone to make sure everything is running properly and the security is ok, I'd hire someone who doesn't act like a jerk, is well smart, some1 who isn't lazy, and someone who doesn't brag about the cool things they have done or put inside the network. Now as you can see you can go a long ways with someone who has a good personality and takes orders well.

Everything comes down to the time=money equation. Sure you could hire a security expert to bolt down the computer make sure every nook and cranny is secure, but the users of the system would bitch about it (costing the company money cause they can't get their work done), it would cost more money because the "expert" would have to spend more time on it and it would piss alot of people off. While makeing sure the system is routinely patched and the currently exploitable vulnerabilities are fixed is much more ecconomical. I've said it time and again most hacks that occure are the admins fault because almost all of them use known vulnerabilities.

palemoon, the voice of reason. i agree 100%.

i'm more pointed in my views right now, because i'm finding myself increasingly frustrated with having to fight about the reality of possibilities - and then being the ******* who had to prove everyone wrong...simply because i can't sit still when people state "facts" that are nothing more that effects of conditions, which might or might not be susceptible to change. the typical response (and i've seen it prevalant here too) is "no, that's not possible. case closed."

specialist, i don't know any jerks thus far - but i'll be sure to be on the lookout in my hypothetical question.

personally, i like the one about the sound of one-hand clapping. it seems more fitting to my example anyway.

Zepherin you nailed it it comes to time money producing a work product and up time on a network. Secure a network to much average workers have to many hoops to go through to get their job done. Network intrusion attempts you are on the internet it is a fact you will get hit, so it becomes a question of how much time and resources against the hits to a firewall and keeping an entire staff productive and the servers up. Most cases you block the IP and life goes on and one watches the log.

Still no guess on the goose in the bottle problem it proves both sets of logic and that of assumption and human nature it is a Koan a Zen problem I did not invent it but know it's answer :)

zepherin, the scenario i gave wasn't sufficient with regards to financial feasibility. your statements are correct. it does bring up an interesting point. is it your contention, then, that security admins, who are the more well-rounded, ideal choice in the business world, have the motivation (internal/external) to stay that way because of the business-related expectation/limitation of their job roles?

Quote:

---

Still no guess...

---

what and ruin it...? the purpose isn't the answer - it's the path to get to an answer.

No guessing it is a logic problem yes the path to the answer is in assumed knowledge asking the two basic things you asked of logic from two prespectives become one and time = $ and also knowing your role in a company and the users one supports.

Quote:

---

Originally posted here by souleman


There are 3 people in 1 house.
Person A is in kitchen
Person B is in kitchen
Person C is locked in the basement and doesn't have the key to get out.
Person A is killed

Who did it?

Obviously Person B. Why, because Person C was in the basement......elimination methodolgoy. If something can NOT be done, then don't consider it....

---

Gleh, lost my message somehow.

What if B is a blind quadriplegic?

What if A committed suicide?

What if C attempted to blow them both up but only injured B?

Interesting choice of example :p

I think using logic that C did it knowing they were gonna be locked in the basement spiked one drink offered and one without A happed to drink the the fatal dose B has no clue and C says I was locked in the basement I know nothing. Fully how logic works good point Terr cause we are in the same area :) Never thought of the bomb thing???

Palemoon > Since the situation is imaginary, I hereby imagine that the goose is now out of the bottle.

Quote:

---

Gleh, lost my message somehow.
What if B is a blind quadriplegic?
What if A committed suicide?
What if C attempted to blow them both up but only injured B?
Interesting choice of example

---

my money's on D.

Notice how I said person B, A, C,? Blood Alcohol content! Person A could have died from purely natural causes or from passing out from drinking in the kitchen and choking on their own vomit! Eeeew! Or A could have died from old age, disease, starvation (it's a very sparse kitchen) radiation, or maybe they accidentally locked themselves in one of those old-old-style refrigerators without the little magnetic sealing strip!