In his book Secrets and Lies, Bruce Schneier talks about countermeasures in three categories: protection, detection, and reaction.

In a military office, classified documents are stored in a safe. The safe provides protection against attack, but so does the system of alarms and guards. Assume that the attacker is an outsider—someone who doesn’t work in the office. If he’s going to steal the documents inside the safe, he’s not only going to have to break into the safe, but he is also going to have to defeat the alarms and guards. The safe—both the lock and the walls—is a protective countermeasure; the guards are reactive countermeasures.

If guards patrol the offices every 15 minutes, the safe only has to withstand attack for a maximum of 15 minutes. If the safe is in an obscure office that is staffed only during the day, it has to withstand 16 hours of attack: from 5 P.M. until 9 A.M. the next day (much longer if the office is closed during holiday weekends). If the safe has an alarm on it, and the guards come running as soon as the safe is jostled, then the safe has to survive attack only for as long as it takes for the guards to respond.

Can you see the synergy of the three types of countermeasure employed in the scenario Bruce describes here? First we have the safe, which is purely a protection countermeasure. The alarms on it provide detection, and the guards provide reaction. Imagine that we didn't have the alarms or guards: The safe would have to be perfect. But as we strengthen the detection and reaction countermeasures, we can rely less on the protection countermeasure. The safe is needed only to buy time for detection and reaction to kick in. Underwriters Laboratories publishes a standard burglary classification for safes¹ that ranges from TL-15, "tool-resistant," to TXTL-60X6, "torch-, explosive, and tool-resistant." But notice the numbers. A TL-15 safe isn't designed to withstand attack forever. It’s designed to withstand 15 minutes of sustained attack by someone who knows exactly how the safe is constructed. The TXTL-60X6 rating provides 60 minutes of protection². You're literally buying time.

Think about protection, detection, and reaction in a typical computer system. You might have to think hard to come up with any detection and reaction countermeasures because the focus is almost always on protection. The hardware of the machine provides isolation between processes. This is protection. Cryptography is the basis for even more protection: data integrity protection, authentication, protection from eavesdropping, and so on. Further protection is on the horizon with Microsoft's proposed Next Generation Secure Computing Base (NGSCB).

Intrusion detection systems (IDSs) like Snort (http://www.snort.org) and integrity management systems like Tripwire (http://www.tripwire.com) are examples of detection countermeasures in computer systems, and the latter has some automated reaction built into it, automatically restoring files that have been corrupted. But generally reaction is provided by a human. When the IDS sends an alert to an administrator, someone's got to be on duty to notice and react.

Reaction is an interesting idea, and sometimes we can build it into systems automatically. For example, a domain controller can lock out an account after several failed login attempts, automatically foiling password-guessing attacks (note that this also introduces the potential for a denial-of-service attack). One way to think about reaction is that it allows you to dynamically change the balance between security and usability. The Windows TCP stack is another good example of automatic reaction. It can detect when a SYN-flood attack³ occurs and react by reducing timeout durations for half-open TCP connections. Thus the system becomes a little bit harder to use (the timeout for acknowledgment is shorter) but is more resistant to attack.

I fear we may have been lulled into designing systems that are based on protection countermeasures alone, and that's not a good idea because we'll never achieve perfect protection and still have systems that are accessible. For example, because we have such great cryptography technology today, people are often lulled into a false sense of security. It often doesn't matter what cryptographic algorithm you happen to be using; as long as it's a reasonably trustworthy algorithm that's been looked at by the cryptographic community, it's probably going to be the strongest link in your security chain. The attacker isn't going to go after the strongest link. He'll look for a weaker point instead.

So, when you design secure systems, try to think of protection countermeasures as a jeweller thinks of a safe. They exist to buy you time. Design detection and reaction into your systems as well. For example, you could instrument your server processes with WMI (Windows Management Instrumentation) (Turstall and Cole 2003) and then use WMI to report security statistics directly to an administrator. You could further build WMI consumers that analyze statistics and automatically react, or provide further alerts to the administrator. This is an area we all need to be working harder to perfect.

¹ http://ulstandardsinfonet.ul.com/scopes/0687.html

² The "X6" designation indicates that all six walls of the safe provide the same level of protection. This is a very expensive safe!

³ A SYN-flood attack is denial of service by repetitively sending the first leg of the TCP handshake (a "SYN" packet) with a spoofed source IP address. The victim thinks someone is trying to open a connection and sends an acknowledgment, then waits for a final acknowledgment from the sender. By flooding the victim with SYN packets from random spoofed IP addresses, the attacker keeps the victim's kernel so busy it can't process legitimate connection requests.

PortedBy KeithBrown