tl;dr dc -mel
> On Feb 13, 2015, at 1:13 PM, "J. Oquendo" <joque...@e-fensive.net> wrote: > >> On Fri, 13 Feb 2015, Mel Beckman wrote: >> >> JO, >> >> IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets >> specific notification and logging requirements. SNORT-based systems fall >> into this category. > > <ramble>tl;dr (even I don't read what I write) > > You failed to see the snark in "military grade" crypto > comment. This thought process is what causes many > organizations to fail repeatedly. Relying on what the herd > says. PCI, HIPAA, FINRA, FISMA, and all of the other > regulatory guidelines, standards, baselines, and mandates > spew from the manufacturing industry's ISO (BS pick your > poisonous acronym). Call it SADHD (or Security ADHD) but I > don't get why everyone keeps running around like dogs > chasing their tails. > > Let's look at HIPAA where everyone is scrambling to replace > Windows based on the word of the herd. Here is the rule: > > "Unsupported and unpatched environments are vulnerable to > security risks. This may result in an officially recognized > control failure by an internal or external audit body, > leading to suspension of certifications, and/or public > notification of the organization's inability to maintain > its systems and customer information" > > Do you chuck Windows XP? It'd be easier to in theory but not > in practice, however NO ONE EVER SAID: "thou shall chuck XP" > (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) > > "The Security Rule was written to allow flexibility for > covered entities to implement security measures that best > fit their organizational needs. The Security Rule does > not specify minimum requirements for personal computer > operating systems" > > Organizations keep relying on half-decent guidelines for > remedies to their problems. By you thinking that you are > going to plop in any "regulatory grade" *anything* and find > security, you are doing not only yourself a huge disservice, > but also to your clients. These pieces of technology (IPS, > IDS, FWs, HIPS, NIPS, etc) are only capable of doing what > you tell them to. Neither the Payment Card Industry, NIST, > or even the President of your country (or Premier, or > whatever else) should be telling you how to secure your > organization. YOU need to know the ins and outs, take the > proper steps and THEN use these technologies when you're > done with your risk assessments. > > If you're relying solely on what others tell you is > "regulatory-grade" or "military-grade" or any other kind of > grade, your bound to be right up there with Target, Anthem, > Citi, JP Morgan Chase, <snip>a wikipedia-length list of > compromised companies</snip>. > > When doing pentesting work, I fill up IPS and IDS with so > many false positives, the analysts are FORCED to ignore the > results while I shimmy my shiny right on by. I know based on > experience what someone is going to do when they see a > kabillion alerts light up their dashboard. > > http://seclists.org/incidents/2000/Aug/277 > > The approach: "Let me cater to what they say I should do" > versus: "Let me figure out what my organization does, needs > to do, and how to get to the proper point" is mind boggling. > I wish there were a statistical database of compromised > companies, and the tools they used, frameworks they followed, > and regulatory nonsense they needed to comply with was listed. > Most of these regulatory mandates are based off of half-baked > models that are partially good when followed thoroughly. > However, they are ONLY partially good when an organization > goes beyond the normal banter: "thou shall apply this" - Does > not mean: plop in an IPS and call it a day. For the most part > though, this practice of half-baked security will continue, > vendors will make bucketloads of money, consumers of IPS/IDS > devices will still complain how much the product sucks, and > I as a pentester... I stay happy as it keeps me steadily > enjoying Five Guys' burgers > > </ramble> > > -- > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM > > "Where ignorance is our master, there is no possibility of > real peace" - Dalai Lama > > 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 > https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463