Correction:
- Physical systems tend to wear out + fail spectacularly.
- Cyber systems tend to fail silently + inconveniently
- CPS systems tend to wear out + fail spectacularly + fail silently +
inconveniently (case in point colonial pipeline)
The purpose of said tools is to evaluate & maintain asset health - over time.
(PDCA)
-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:49 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry
The purpose of non-destructive testing is to validate form/fit/function -
across the entire operational mission/ asset lifecycle/ whatever - contrasted
with the STIG/CIS benchmark which throws the real problems "over the wall" to
Ken H.
Using the outputs, the lifecycle manager constructs their budget for operations
+ maintenance (OpEx) and replacement (CapEx).
Physical systems wear out. (Weibull)
Cyber systems fail spectacularly.
CPS systems wear out + fail spectacularly. (Power-law?)
Why is this relevant?
Back in the 1940s, too many planes were falling out of the sky. (Q. How many
planes are too many?) You call this philosophy a "surety system", "fly fix
fly", "patch Tuesday", " FAA's approach to the Boeing 737 MAX" - whatever.
Regardless, by the 1950s, it was decided that action needed to be taken. The
status quo was unacceptable. It was too expensive for operators.
The national safety council created something called the "Hierarchy of
Controls." It was immensely successful. (Planes stopped falling out of the
skies.)
You can call this approach "safety by design". This approach and it's benefits
are very well documented and might even be applicable to Navy C4ISR.
To tie a bow on this thread:
How can we make Kerberos safe?
-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:19 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry
At higher levels it falls under "Non Destructive testing".
-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' <kerberos@mit.edu>; 'k...@cmf.nrl.navy.mil'
<k...@cmf.nrl.navy.mil>
Subject: RE: Protocol benchmarking / auditing inquiry
This approach is taught in first year engineering.
-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry
Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.
For those who work in the cyber subset, the term is "interface".
Regardless of what you call it.
You take the system diagram and evaluate using each major interface or Frame of
Reference.
The STIG or CIS benchmark is just one of the interfaces evaluated.
-------------
>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR). Typically, each frame of reference (FoR) needs to be
>audited. Hence the need for automation.
I can only say this:
- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.
--Ken
-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclau...@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry
Minor comment the CIS Benchmark appears to have been written from the system
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need
for automation.
-----Original Message-----
From: Christopher D. Clausen <cclau...@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <brent.kimber...@durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry
[You don't often get email from cclau...@acm.org. Learn why this is important
at https://aka.ms/LearnAboutSenderIdentification ]
I have used this as a guide, but I think MIT Kerberos version 1.10 is the
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos
Not sure if this is what you are looking for or not.
<<CDC
On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:
> Preferably something smaller and more focused than nmap or OpenSCAP. 😉
> > > > > > >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
> Read the RFCs and specs.
> Semi-automatic.
> jtesta/ssh-audit: SSH server & client security
> auditing (banner, key exchange, encryption, mac, compression, compatibility,
> security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
> Automatic
> SSH Configuration Auditor
> (ssh-audit.com)<http://ht/
> tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>
>
>
> TLS example upon request.
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege
have been waived. If you are not the intended recipient, you are hereby
notified that any review, re-transmission, dissemination, distribution,
copying, conversion to hard copy, taking of action in reliance on or other use
of this communication is strictly prohibited. If you are not the intended
recipient and have received this message in error, please notify me by return
e-mail and delete or destroy all copies of this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
