tl;dr dc -mel
On Feb 13, 2015, at 1:13 PM, "J. Oquendo" <joquendo@e-fensive.net> wrote:
On Fri, 13 Feb 2015, Mel Beckman wrote:
JO,
IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category.
<ramble>tl;dr (even I don't read what I write)
You failed to see the snark in "military grade" crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails.
Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule:
"Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information"
Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: "thou shall chuck XP" (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html)
"The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems"
Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any "regulatory grade" *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments.
If you're relying solely on what others tell you is "regulatory-grade" or "military-grade" or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, <snip>a wikipedia-length list of compromised companies</snip>.
When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard.
http://seclists.org/incidents/2000/Aug/277
The approach: "Let me cater to what they say I should do" versus: "Let me figure out what my organization does, needs to do, and how to get to the proper point" is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: "thou shall apply this" - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers
</ramble>
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463