Thursday, September 6, 2012

Hmmm strategy...

The title of the above post caught my fancy.  The content is pretty small but the idea is funny.

This is just stupid.  Its the most poorly thought out marketing attempt... well not "ever"... but its still pretty weak.

Attack is always easy.  Defense is always hard.  But now it's That should convert the masses.

Attacking a stationary/static target is simply a matter of trial and error.  Success is a factor of time, effort and a bit of cunning. Hence its popularity with "security researchers". 

Defending a stationary target is an exercise in "preventing the unknown".  You have no capacity to prevent whats going to happen if its a simple attack-defend scenario, unless you can brute force "prevent" the attackers vector from functioning.  But to do this you either need to know what the vectors are before hand, prevent all possible vectors or ..."other".
The first is essentially the "attack" strategy just going in the opposite direction.  (See all current signature based mechanims)
The second is theoretically impossible but heuristics offer partial solutions. (Mechanisms such as DEP, Mutable loading, calling etc, behaviour monitoring mechanisms, white lists)
The third is.... "unknown".

But now its sexy!

Its also going to be damn hard to "show" in the way exploits have traditionally been demonstrated at the various conrferences.  An exploit either works or fails.  Defending against an unknown and possibly non-existant attack is ... harder to demonstrate.

"Evidence of  defence against non-existant threat may have been successfully demonstrated... audience baffled and bored!"

At least if you find an exploit and then demonstrate a fix, people "get it".  Doing this for broad classes of attack strategies may be harder, simply becasue doing so just moves the goalposts for the attackers. It does not eliminate goalposts, although it may in the mind of the purchaser.

I think being under a state of constant attack, forces people to adopt a conservative approch to their computing activities.  Purchasing a "solution" simply promotes a false sense of security. 

But I ramble...

No comments:

Post a Comment