Skip to content ↓ | Skip to navigation ↓

Many people implement security solutions only to make their over all security worse. There’s a few reasons for this. They are the subjects of this three part series which will examine why:

  • You don’t know your attack surface
  • Your security is unbalanced
  • You chose security solutions that fight for the same resources

Now there’s no point talking about bad products, wish fulfillment and false expectations. Those happen everywhere. That’s what denial is for. So that aside, even if you do the right thing, get your strategy straight, and get the quality you need, you can still be doing it wrong.

You Don’t Know Your Attack Surface

Enjoys long walks on the beach, moonlight, and multitasking in ways that you can’t…

Too much security can hurt your security. And not because it will kill your efficiency; it might, but because it will increase your attack surface. The skill needed here is balance between the openness you need for smoothly running operations and the protection you need to stay in control of your operations, including the assets.

Attack surface analysis is tough to learn. You will learn the product types easily enough. You will learn many of the types of threats if you’re into that. You can learn how to configure the products correctly without the checklist.

You can even learn the math behind the tougher decisions, whether it be risk statistics or ciphers. But attack surface analysis is tough because modern operations are complicated with more variables than the weather and less information than the weatherman has to work with.

The attack surface shows where an attacker would have to attack if they could attack. You need to look at each place in a network, software, service, emanation, storage, memory, and environment where interactions can happen. So it’s hard because it’s time consuming and exhausting. Whether it’s a building or software code, trying to find where each little interaction can take place and if it does so securely can drive you crazy.

There are only four kinds of interactions to be found that affect security but each one is very different and sometimes there are chains of interactions that go further than you have resources to follow. That’s probably why where investigation is needed the most, like critical systems, really expensive software is implemented to get it done a little better.

Software doesn’t necessarily find all the interactions or the breadth of their consequences but because machines are better at remaining consistent during mind-numbing tasks, fewer mistakes are made. But even then, software is really limited to following other software and can’t follow an interaction that has a human or physical component to it.

That is why smart phones are really hard to test for security. A modern smart phone has WiFi, Bluetooth, GPS, GSM, 3G, camera, accelerometer, apps, touch screen, button controls, and is part of a larger network that runs in multiple environments and environmental conditions. That’s a lot of variables and a lot of interactions.

That’s also why the software that does that kind of testing is so expensive, despite being so limited, and the people who do that work for those who can’t afford the software, usually fake it. And by faking it, I mean they do it in a superficial manner. They test according to their intuition, going as far as they feel they have to go and skipping stuff that, in their experience, has never had a problem before.

It’s so hard to do actually that it leaves room for all sorts of enthusiastic eyes to look for the interactions that the testers missed and make exploits from them. Which is actually much less easy than it sounds. Here it sounds like mining for gold. But it’s not. In making exploits, finding an unprotected interaction is just the first step. Figuring out how to get from there to where you want to be, like bypassing authentication or taking root, is more like mining for gold and than building a rocket ship to take it to the moon. It’s the last step where most fail.

So, to secure something, especially in the face of enthusiastic, gold-digging eyes, you need to know where all of those four types of interactions are taking place. Now the consensus here is that by applying security on some of these interactions, the low-hanging fruit ones, then we are doing something. And something is better than nothing. Except when it’s not.

Good with gold-digging, bad with rocket science…

Where there are no controls over interactions, things hide. And what do they hide behind? Your security. An encrypted network with poor host security can hide illegitimate operations coming and going. An encrypted disk can still hide malware.

A strong password can protect illegal data repositories and data leaks. Non-repudiation protocols can make a big database of personally identifying information ripe for the picking. You get the picture.

Attack surface analysis is clearly the hardest task and many professionals do it poorly because either they fake it or they wing it due to limited time and resources, which means your security has no balance. And poor balance is how you end up with uncontrolled interactions and worse.

The worse? Well that’s a type of system apoptosis, AKA “programmed cell death.” It’s where your system kills itself as a result of protection. And it’s more common than you think. Think, anti-malware software deleting critical files to clean an infection. System death through security.

This happens when Unbalanced Security is Increasing Your Attack Surface – the next article in this series…

So, it’s time to change. There’s better security awareness methods out there worth following at this Troopers workshop. Find me there. I’m open to talk about any of the topics covered in this article if you catch me at an event like Troopers in Germany or RVAsec in Richmond, VA, USA — both coming up soon!


Author’s Note: The information in this article comes from research for OSSTMM 4 and its spin-offs which include the Secure Programming Guidelines, Security Awareness Methodology Manual, Hacker HighschoolVendor Trust and Security Assessment, and the Desktop Security Matrix, some of which are already publicly available or available to ISECOM subscribers. The difference between ISECOM research like the OSSTMM and security best practices is that ISECOM studies and verifies practices to determine facts as opposed to the anecdotal security found in best practices. OSSTMM is true.


picAbout the Author: Pete Herzog is the co-founder of ISECOM, and as Managing Director is directly involved in all ISECOM projects. In 2000, Pete created the OSSTMM for security testing and analysis. He is still the lead developer of the OSSTMM but has also leads the organization into new research challenges like Smarter Safer Better, the Bad People Project, and the Home Security Methodology. Pete’s strong interest in the properties of trust and how it affects us and our lives has led to trust metrics and has brought ISECOM more deeply into Human Security. In addition to managing ISECOM, Pete taught the Masters for Security at La Salle University in Barcelona which accredits the OPST and OPSA training courses and Business Information Security in the MBA program from ESADE which is the foundation of the OPSA. In addition to security, Pete is an avid Maker, Hacker, and reader.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock

In-text images courtesy of