Epistemological Relativism

There is a rant over at Observations. In it the author rightly points out that user training is ineffective when you do not have a minimum set of security measures in place. For those not in the inner sanctum, we’re talking about information security. Basically, the rant is communicating that we have to pick and choose our battles. I’m totally on board here. In fact, I spoke about that here. The challenge is that everyone’s bare bones security measures are very different. In fact, over at Observations he practically throws in the kitchen sink! Don’t get me wrong, all of the measures are great, but integrating all systems into AD, starting a threat modeling effort and NAC are definitely not bare bones. Not even close. Now, I know this was a rant so I won’t be too critical here, but you can’t put everything in the bare bones category. It tends to lose meaning that way. Instead, after the author calms down, another attempt should be made to prioritize these efforts. Yes, you must prioritize. Especially in the security space where there is always work to be done, we have to select those efforts that will produce the greatest positive outcome. I know, great is vague and nebulous, but you know what I mean. Check out the laundry list, it is nice, a little idealistic, but nice nonetheless.

Somewhat related to my ‘A Variety of Lenses‘ post, Barth in Evangelical Theology has some interesting things to say.

The remarkable assumption behind this project [the exegetical-theological task], however, seems to be that the content, meaning and point of biblical assertions are relatively easy to ascertain and may afterward be presupposed as self-evident…The truth of the matter, however, is that the central affirmations of the Bible are not self-evident; the Word of God itself, as witnessed to in the Bible, is not immediately obvious in any of its chapters and verses. On the contrary, the truth of the Word must be sought precisely, in order to be understood in its deep simplicity.

– Karl Barth, Evangelical Theology (Eerdmans, 1963) 35.

The taosecurity blog has an interesting post regarding application instrumentation. In it author Ricard Bejtlich argues that all applications should be able to defend themselves. This defense, according to Bejtlich, is defined as the ability to tell us “when they are abused, subverted, or breached”. Now I wouldn’t call this defense per se, but the I understand where he is coming from. Visibility into an application’s behavior or misbehavior is essential to properly respond to each situation. So, we’re all in agreement here, almost. Bejtlich writes:

I would like to see the next innovation be security application instrumentation, where you devise your application to report not only performance and fault logging, but also security and compliance logging. Ideally the application will be self-defending as well, perhaps offering less vulnerability exposure as attacks increase (being aware of DoS conditions of course).

While this is excellent, I think it fails to recognize one of the fundamental barriers to implementing such a system. The idea that an application has the ability to report information about security events, violations or what-have-you is great. The problem, however, is that because this functionality is found within the application’s runtime we may have some integrity issues. If that application is attacked and ultimately compromised the ability for that application to effectively communicate security event data with any sort of integrity is quite low. So low, in fact, that that function is useless. And this is exactly when we don’t want it to be.

This particular problem isn’t that new. The reference monitor, while not quite analogous, does provide some insightful parallels. In a nutshell, we cannot place the reference monitor-like functionality within the application’s runtime environment. If we do this, we seriously limit the effectiveness of its primary function. Now, the reference monitor concept isn’t a silver-bullet either, but the decoupling of that function from that of the application provides some compartmentalization and some level of non-bypassability (you can’t bypass the reference monitor by attack the application itself). Yes, you can attack the reference monitor and then attack the application, but you must do so in two discreet steps. This sounds strangely like an IDS doesn’t it?

So, I agree, we need the information, but is building it into every application the most effective way to do this? I don’t think it is.

I was writing a bit off-blog about how different people approach the Protestant Bible. I thought it was interesting so I brought it into the blog to share. For a bit of context, I was speaking with a friend where I was mostly listening to him explain why his informed views of the meaning of the biblical text are to be preferred. Of course, like many people, his explanation was nothing more than an appeal to, “It is so clear, how can you *not* see it my way”. What he did not understand and, at first, acknowledge was the critical role that assumptions play in this process of understanding. Some people call them assumptions, others call them axioms and still others call them facts. The truth of the matter is that these assumptions, the lense by which we view the biblical text, are not themselves built into the text. They are part of our overall approach to reading texts like this. The challenge is that not everyone has the same set of lenses and yet many feel there particular brand of spectacles are the only ones authorized for this use.

These lenses control and in some ways determine how we understand biblical texts. This can be good and bad. If our lenses do not include the consideration of the cultural and historical context of the text things can get dicey. These considerations should constrain the possible meanings. Yes, you heard it right, we may receive the text in a particular way, but that is something entirely different than what the author intended and the first recipients may have understood . Many presume that our twentieth century lenses our the ultimate instrument to see the real meaning of a text. Unfortunately, this includes many, many people. We have to ask though, whether it is appropriate to view a text in a way that is disconnected from its temporal-spatial origin.

It sounds like I’m placing ancient texts in a vault and giving the key to a select few. Perhaps, this is the result and maybe that isn’t a terrible thing. In fact, in evangelical circles, this is the de facto standard anyways. Actually, this is the reason why I am blogging about this to begin with. Many people listen to those in authority who, with mostly good intentions, communicate the meaning of texts without communicating the method and built-in assumptions. I think the quote below from Frank Beckwith, a recent convert to Catholicism, summarizes the dilemma that most simply ignore.

In fact, it was just such reasoning that pushed me toward Catholicism. I thought to myself that if sola scriptura can result in everything from the philosophical theology of Calvinism to the Open View of God, from Nicean Trinitarianism to social trinitarianism to Oneness Pentecostalism’s rehabilitation of Sabellianism to 19^th-century Unitarianism, then sola scriptura is not a sufficient bulwark for sustaining Christian orthodoxy.

While chatting with a friend yesterday about approaches to integrating security into a system or software development life cycle I mentioned something that bears repeating. There must be an overall strategy to a companies information security program. And strategy does not mean a list of projects to do for a given timeframe. Seriously though, I’ve seen a lot of companies approach the security game (yes, it is a game, didn’t you know?) with what I think is a reactive/product-based approach. I don’t really even think “approach” is the proper word here. Sure, there are some “no-brainer” products that most organizations need, but understanding what that need is and successfully implementing and managing these things are not at all the same. The product approach leads to great products that are poorly implemented, improperly managed and ultimately do not provide the value they are intended to deliver. This is because they can only deliver when surrounded by a coherent, realistic and repeatable process. But even this isn’t, in my opinion, the root cause. The root cause is the lack of an overall strategy, approach, plan or whatever you want to call it to the various facets of an information security program. Instead isolated islands of projects pop up without any sense of the big picture.

Now, back to my discussion. My advice was to loosely model the CMM. I say loosely because we only need the general concepts (with some modification) to steer us in the right direction. The CMM is focused on levels of maturity. As you progress upward in the CMM things become more defined, repeatable, measurable and optimal. First thing to do is to map out the various security products, processes, initiatives and what-not to the levels of the CMM. Of course I bastardized the CMM, because I made the point to say that things like security in the SDLC come after other more pressing issues get to level 2. It wouldn’t make sense to begin a full scale SDLC project when antivirus, patching and firewall management processes are not working at all. The ideas of the CMM is to allow you to take the various categories/tasks of information security and see where your gaps are and to plan more strategically to address them. The ad-hoc, on-demand approach can work, but you get stuck in that cycle.

I’m not saying that processes, strategies and plans are the keys to a successful program. What I am saying is that these are usually conducive to creating discussions that address the appropriate problems, allowing people to stop and think about what they are or are not doing and, ultimately to develop some achievable and realistic goals. Many times, unfortunately, organizations are stuck in the producto-reactive cycle.

I just noticed (yes, I’m a bit slow) that about six months ago the OWASP project put up a page on risk rating. I’ve reviewed it and find it quiet usable for many organizations. Of course, it requires some customization, but it is much more applicable to corporate application environments that what is currently available.

In early 2006 while at my previous employer we spent many long hours attempting to create a somewhat more realistic approach to communicating risk. Many (read: most) of the methods available at the time were vendor-centric. They were not usable in corporate environments without a great deal of tweaking and by that time it didn’t look at all like the original method. The problem was that the metrics used by many of these methods artificially inflated the results. Everything turned out to be a high risk. Yes, some things were high risk, but not everything. The reality is that you have to have a sane risk rating system so that the truly high risks actually get fixed. If everything is high risk, then nothing is high risk and no real work will get done.

Anyways, we came up with something a bit similar to what OWASP has done. We took it a bit further and developed about nine, I think, characteristics of a vulnerability that could each receive a rating of 1, 2 or 3. We struggled with the subjectivity of Risk = Likelihood x Impact. To curb the subjectivity we had to identify what elements contributed to making a vulnerability more likely to be exploited. Before this method, it was simply an educated guess that produced a number usually between 1 and 10. While each of the characteristics are still determined by this educated guess, the collection of metrics provides a more balanced result. Breaking the vulnerability’s likelihood into discrete characteristics allows the guesser to treat the elements uniquely and realistically. During our QA sessions with the method we saw many high risk vulnerabilities move to medium risk. The simplistic, single number metric of the old method loads in too many assumptions to be useful.

During the development of our method we found that in a corporate environment there were enough differences between off-the-shelf applications and in-house applications that some of the characteristics did not make sense in both contexts. Having a sane risk rating process is nice too, because developers and architects can also play the game too. Since the characteristics are mostly intelligible it is easy to sit in a room with the project team and rate the identified vulnerabilities together. So, in short, if you don’t have the time like we were fortunate enough to have, use what the OWASP project has provide. If you do have time, trust me here, use the OWASP project’s work and build from there.

G.K. Chesterton in The Everlasting Man writes about the ultimate and unspoken aim in mythology. He describes it rather appropriately as an almost indirect, semi-conscious search for that something that we all know is out there, but at times are not too sure where to look or what to look for. Mythology’s stories are a way to imagine what things might be like, knowing that there is some deep connection, not between the objects of mythology itself, but between the ideas and themes they conjure and reality itself.

Every true artist does feel, consciously or unconsciously, that he is touching transcendental truths; that his images are shadows of things seen through the veil. In other words, the natural mystic does know that there is there; something behind the clouds or within the trees; but he believes that the pursuit of beauty is the way to find it; that imagination is a sort of incantation that can call it up.

Chesterton observes, quite accurately I might add, a type of experience an artist has when engaged in his craft. This “seeing through the veil” is something that at times can be articulated and at others remains just below the consciousness. I’ve never read any such treatment of this, but maybe I haven’t read enough.

Very deep things in our nature, some dim sense of dependence of great things upon small, some dark suggestion that the things nearest to us stretch far beyond our power, some sacramental feeling of magic in material substances, and many more emotions past finding out, are in an idea like that of the external soul.

I’ll just let you think about this one. I think it is fantastic.

In a word, mythology is a search; it is something that combines a recurrent desire with a recurrent doubt, mixing a most hungry sincerity in the idea of seeking for a place with a most dark and deep levity about all the places found.

I love this duality in mythology’s quest. The doubt and desire collide as the myths attempt to grasp at what is behind the veil.

I just couldn’t resist this one. I love the ever so gentle chastisement upon my completion.

Since I have a few spare moments to read again I have decided to give Barth’s Evangelical Theology another attempt. Ironically, I was not prepared to engage with Barth until after battling it out with Brunner. For those of you that are not aware, these two had significant disagreements about one another’s theology.

Barth, in the beginning of this short book, attempts to sketch what theology is or, more importantly, what the object of theology is. Barth uses “God” to refer to that object which is “our highest desire”. I’ve heard this spun a bit differently in my previous evangelical experiences, but I think Barth makes the point clear.

There is no man who does not have his own gods or gods as the object of his highest desire and trust, or as the basis of his deepest loyalty and commitment.

This isn’t meant to be slanderous or a personal attack directed toward *theists. Barth is merely defining the term god and its possible referents (is that right?). Think of it as more of an abstraction or generalization that can be applied to everyone. Barth gives us examples of what suchs gods may look like.

Such an alternative object might be “nature”, creativity, or an unconscious and amorphous will to life. It might also be “reason”, progress or even a redeeming nothingness into which man would be destined to disappear. Even such apparently “godless” ideologies are theologies.

It is a good starting point for understanding what theology’s aim or object is. It is the study of, reflection upon those things that we elevate to the divine (whether legitimately or illegitimately is another story!) However, once you select your god object things change just a bit. Barth’s aim is to speak of the God of the Gospel. And the goal of this study is to:

..to apprehend, to understand and to speak of the God of the Gospel, in the midst of the variety of all other theologies and (without any value-judgment being implied) in distinction from them. This is the God who reveals himself in the Gospel, who himself speaks to men and acts among and upon them. Wherever he becomes the object of human science, both it source and its norm, there is evangelical theology.

– Karl Barth, Evangelical Theology (Eerdmans, 1963) 3-6.

Last night we started another bed-time book. Always the romantic I try to find books that communicate the beauty of nature wrapped in an exciting and adventurous story. I hope to give the kids, at a worst, an appreciation for nature and, at best, a longing to be a part of it. Yes, unfortunately living in the concrete jungle in Southern California we have to resort to books instead of the real thing. I chose The Wind and The Willows. The large hardback edition that I purchased has fantastic illustrations by Michael Hague. The illustrations are great a jumpstart for the imagination. Since they are not on every page the illustrations aren’t too big of a distraction and keep the kids in suspense and attentive. The good news is that this text is public domain so you can always go here and download a copy to print. It won’t have the pictures, but that’s okay. So here is an great excerpt from the text. The Mole has just stumbled upon a river for the first time in his life.

Never in his life had he seen a river before–this sleek, sinuous, full-bodied animal, chasing and chuckling, gripping things with a gurgle and leaving them with a laugh, to fling itself on fresh playmates that shook themselves free, and were caught and held again. All was a-shake and a-shiver–glints and gleams and sparkles, rustle and swirl, chatter and bubble. The Mole was bewitched, entranced, fascinated. By the side of the river he trotted as one trots, when very small, by the side of a man who holds one spell-bound by exciting stories; and when tired at last, he sat on the bank, while the river still chattered on to him, a babbling procession of the best stories in the world, sent from the heart of the earth to be told at last to the insatiable sea.

- Kenneth Grahame, The Wind in the Willows (1908)