That was my point. Common sense mitigations are not being done and when they are done they will be bypassed anywhere.

“Also, Grant stated that “these attackers only use as much skill as needed”. This is quite different from what you paraphrased”

Not really. The point is that if the attacker is competent, common sense mitigations will not keep them out. You have to go BEYOND the industry “best practices” because such practices will eventually be bypassed.

The overall point is directly related to my meme: You are in a CONFLICT with an actual human being, not some robot. In fact, you are in conflict with a HORDE of human beings, some smarter than others. Unless you deal with the overall concept of security in this context, you are not going to win.

The majority of the infosec industry still thinks that computer security is some kind of “technology issue” to be solved by applying various bandaid “best practices.” It’s not. It’s a human conflict and the principles of conflict apply. In other words, you have to deal with the attack that happens and not the one you prepared for. This is a commonly known principle in martial arts and in the military (although in the military, it, too, is not usually performed correctly due to organizational inertia. Case in point: the utter failure of Afghanistan.)

“Specifically, the top four strategies “will help protect an organisation from low to moderately sophisticated intrusion attempts”. Thus, it will winnow out, as you have described, both the “script kiddies” and “half-way decent hackers”. Adding additional mitigations from the list, which btw include both prevention and detection capabilities, as appropriate for one’s organization, will make the work of advanced hackers more difficult. Why on God’s green earth make it easy for the miscreants?! Make them burn the midnight oil for months, or even years.”

They will never take years to penetrate a system, and most likely not even months.

Richard Marcinko’s Red Cell SEAL Team penetrated just about every US military security capability there was during his tenure as its commander. His team put IEDs next to the nuclear reactors on nuclear subs at Groton, put IEDs on Air Force One, and got several SEALS with several pounds of C-4 within 20 yards of the President’s cottage at Camp David.

Penetrating a computer security system is way easier than any of those operations.

It is literally – and I mean LITERALLY – IMPOSSIBLE to secure a company with over, say, 10-100 employees. Corporation with thousands of employees are Swiss cheese no matter what they do.

Besides, I never said one should NOT do the mitigations – I’m saying you cannot RELY on them to be effective.

“Finally, even if your “meme” is correct and one cannot prevent intrusions, this would imply that organizations should also implement strong detection capabilities to enable response to attacks at the earliest possible moment.”

With this I agree completely. Since you’re going to be attacked, and probably breached, you need to be able to detect when and where and head off the attackers before they can either do damage or acquire what they’re after.

“Raising the white flag and innovating more quickly is not the answer.”

Controlling your own game is much easier than controlling the enemy’s game. Every coach knows this.

#4 on their list is application whitelisting (SRP or AppLocker). AppLocker has potential, but is only found in the Ultimate and Enterprise versions of Windows, so I’ve stuck with SRP.
I have a page on Software Restriction Policy at http://www.mechbgon.com/srp that I recently revamped after reviewing the United States NSA’s PDF on the subject, and Didier Stevens’ blog. Those of you who do use SRP (or plan to try it), should look at those resources, so here they are:

NSA: http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf

Didier Stevens:
http://blog.didierstevens.com/2011/11/17/hotfix-for-srpapplocker-bypass/

For those of you using Google Chrome, you’ll want to switch to the .MSI version of it so it gets installed into the Program Files directory, rather than into your user profile, which will become a no-execute zone under SRP’s protection. That version of the Chrome installer can be obtained at https://www.google.com/intl/en/chrome/browser/eula.html?msi=true

We need to reward the people who dare to create something new and succeed in making it happen. Letting others copy their work and dilute their success diminishes their reward, often to the point of making it pointless to even attempt something equivalent in the future.

The future you espouse is all wonderful so long as you’re the pointless conman who never invents anything and rips everyone off. When there’s nobody left to rip off the house of cards will come crashing down.

If the top 4, along with the remaining 31, mitigations are “common sense”, then why have so many organizations failed to implement just the top 4 alone, which includes application whitelisting? And why have so many organizations failed to utilize Windows group policy and use Internet Explorer’s Security Zones to whitelist essential websites as Trusted Sites (please see mitigation strategies 10/11 and reread Brian’s recent article on watering holes)? “Common sense” is not as common as you believe it to be.

Also, Grant stated that “these attackers only use as much skill as needed”. This is quite different from what you paraphrased. Here’s another link from the above-referenced site (see “Creating a defence-in-depth system”):

http://www.dsd.gov.au/publications/csocprotect/top_4_mitigations.htm

Specifically, the top four strategies “will help protect an organisation from low to moderately sophisticated intrusion attempts”. Thus, it will winnow out, as you have described, both the “script kiddies” and “half-way decent hackers”. Adding additional mitigations from the list, which btw include both prevention and detection capabilities, as appropriate for one’s organization, will make the work of advanced hackers more difficult. Why on God’s green earth make it easy for the miscreants?! Make them burn the midnight oil for months, or even years.

Finally, even if your “meme” is correct and one cannot prevent intrusions, this would imply that organizations should also implement strong detection capabilities to enable response to attacks at the earliest possible moment. As an example, shortly after RSA was hacked in March, 2011, an attack was launched against one of their customers, Lockheed Martin. Lockheed Martin is believed to have detected network intrusion attempts by the miscreants and, in response, shut down remote access and re-issued tokens and passwords. More here:

“Data Breach at Security Firm Linked to Attack on Lockheed
http://www.nytimes.com/2011/05/28/business/28hack.html?_r=0

Raising the white flag and innovating more quickly is not the answer.

What should scare everyone is the opportunity to issue nefarious controls at just the right time. Now to do that, you’d need intimate knowledge of not only how the SCADA system works, but how the electric distribution system works, how the water system works, how the transportation systems work –in other words, it’s not enough to be an IT geek. You have to have the experience of an engineer with significant detailed knowledge of the infrastructure as well.

Yes, this is security through obscurity. However, do note that the number of people on this planet who could pull off a successful attack like this are probably measured in the low hundreds. This combination of skill and experience is very unusual.

As for those of you who shake your heads at the choices made in SCADA systems, remember this: the goals (in order) are Safety, Availability, Integrity; and perhaps confidentiality, though aside of keeping keys and access systems secure, it doesn’t figure in to this. Many of the security assumptions you have learned from office applications are inappropriate in this context.

Also, sooner or later we will all slip up and someone will manage to hack us. All this doom about Telvent ignores the fact that they’ve been doing a pretty decent job of handling this situation. I am not a Telvent customer or a Telvent manager. I’m merely a SCADA user who is trying to deal with the reality of keeping a distribution system going.

Though I’m not happy about the fact that they did get hacked, I’m impressed that they 1) caught it, 2) did their best to remediate it, and 3) put their customers first. Contrast that with how Siemens handled Stuxnet.

Power, gas, pipelines, water, etc… All should be offline!