Back to Basics: Beyond Network Hygiene

Back to Basics: Beyond Network Hygiene by Felix ‘FX’ Lindner and Sandro Gaycken.


In the past, Computer Network Defense (CND) intended to be minimally intrusive to the other requirements of IT development, business, and operations. This paper outlines how different security paradigms have failed to become effective defense approaches, and what the root cause of the current situation is. Based on these observations, a different point of view is proposed: acknowledging the inherent composite nature of computer systems and software. Considering the problem space from the composite point of view, the paper offers ways to leverage composition for security, and concludes with a list of recommendations.

Before someone starts bouncing around on one leg crying “GRAPH! GRAPH!,” yes, what is described can be modeled as a graph. Any sufficiently fundamental structure can model anything you are likely to encounter. That does not mean any particular structure is appropriate for a given problem.

From the introduction:

Defending computer networks can appear to be an always losing position in the 21st century. It is increasingly obvious that the state of the art in Computer Network Defense (CND) is over a decade behind its counterpart Computer Network Offense (CNO). Even intelligence and military organizations, considered to be best positioned to defend their own infrastructures, struggle to keep the constant onslaught of attackers with varying motives, skills, and resources at bay. Many NATO member states leave the impression that they have all but given up when it comes to recommending effective defense strategies to the entities operating their critical national infrastructure and to the business sector.

At the core of the problem lies a simple but hard historic truth: currently, nobody can purchase secure computer hardware or software. Since the early days of commercial computer use, computer products, including the less obvious elements of the network infrastructure that enable modern use of interconnected machines, have come with absolutely no warranty. They do not even promise any enforceable fitness for a particular purpose. Computer users have become used to the status quo and many do not even question this crucial situation anymore.

The complete lack of product liability was and is one of the driving factors of the IT industry as it fosters a continuous update and upgrade cycle, driving revenue. Therefore, no national economy that has any computer or software industry to speak of can afford to change the product liability status quo. Such a change would most likely exterminate a nation’s entire IT sector immediately, either by exodus or indemnity claims. The same economic factor caused the IT industry to focus research and development efforts on functionality aspects of their products, adding more and more features, in order to support the sales of the next version of products. Simply put, there is no incentive to build secure and robust software, so nobody does it.

The most convincing aspect of this paper is the lack of a quick-fix solution from the authors for network security issues.

In fact, the authors suggest that not using security software is statistically safer than using it.

If you have any interest in computer or network security, read this paper and translate it into blog posts, security stories for news outlets, etc.

That you and the authors “know” some likely solutions to computer security concerns isn’t going to help. Not by itself.

I first saw this in a tweet by Steve Christey Coley.

3 Responses to “Back to Basics: Beyond Network Hygiene”

  1. […] leaky bucket style of security detailed in Back to Basics: Beyond Network Hygiene is echoed from this paper from […]

  2. […] that I should encounter this less than a week after Back to Basics: Beyond Network Hygiene by Felix ‘FX’ Lindner and Sandro […]

  3. […] you need more evidence for the argument that software (not just the WWW) is systematically broken (Back to Basics: Beyond Network Hygiene by Felix ‘FX’ Lindner and Sandro Gaycken), review the agenda for this Black Hat conference or for proceeding […]