Today we had our UK Security Summit 2006. One of the themes that got much attention from the audience and discussion was one of root causes versus symptoms. I am a huge fan of fixing a problem at its root, rather than band-aiding it. But sometimes we in our industry tend to think in product terms, rather than security terms. One of my favorite examples is one of the Medicine of Pathogens and disease. According to Doctors external pathogens seem to have four things in common with the human organism.

1 - They are anonymous - that is, the Flu doesnt authenticate itself to the body, it comes in over the "air" and without a common trust context infects the body.

2 - They break rules - Most viral and bacterial pathogens break a simple rule of operation and behaviour of the body. For example they attack our nervous system, invade our bloodstream, and do things that are generally against the "day to day" of the body. We have secondary systems that detect for us these breaches, and in most cases defeat them once the body Immune System works out a way to kill it.

3 - They came in unsolicited (arguably STDs, and bloodstream infections could have been self-inflicted) - meaning they came in to the body without the body asking or consciously inviting the pathogen, though maybe the body engaged in a conscious action that facilitated it, the immune system usually had little to do with it.

4 - As per the first post - the body generally runs with "admin priviledges" - meaning, most of us can (and sometimes do) apply for a Darwin award and kill ourselves by driving off a cliff etc. However,  the vast majority of our security systems in the body dont reach our conscious level of thought, for example, the Killer T cells dont tell you they just killed a bacterial infection at the tip of your finger, or warn you there are germs under your finger nails - if they did it would be too much data to handle (our human organism, like MS gets attacked alot).

So what can we learn from this, as Security Architects?

1 - Authenticate content - if you are authenticated (which major bits of tissue in the body are) then you are far more likely to be well intentioned, and likely to be good (though this is getting increasingly tentative in our world). We experience this in organ transplants and rejection when the body recognises (by a mechanism we dont fully understand) that an organ didnt originate in this body, and attacks the transplant. Though it doesnt favour us in this case, this un-authenticated attack role of the immune system defeats a large percentage of attacks of virii etc that try to fool us into thinking they are part of us. I wish I knew how we did it in nature.

2 - Understand what the rules are, and dont put yourself in risk situations - if a buffer overflow in SMTP verify is 200 bytes of traffic, and the VRFY command is analysed at the network layer and anything larger than 75 bytes is dropped (by the firewall or switch), then no 200 byte overflow (even the unpatched ones) can pass. This is one of the biggest benefits of IPS technologies and Application Firewalls, and the major reason they make their dumb L4 cousins look bad. The body can tell by smell, and even taste if most food is off, and it sometimes even invokes a gag or vomit response. Network equipment and dynamic protection can help us too if we follow these examples. The body also fails to safe under almost all immune cases, there are few "unterminated buffers", and if someone shouts at you and swears, it usually doesnt case a buffer overflow in your auditory system which gives the attacker root of your body. Though some of us may disagree looking at former partners who told us what we wanted to hear  ;)

3 - Stop unsolicited packets - basic and stupidly simple. Dont process what you didnt ask for first (in client server environments), this is the simple beauty of the original Windows firewall iterations, they kill worms, as worms send unsolicited packets. The outbound filtering part of it wasnt necessary for anti-worm defence. In the human world if you see a gunfight in the street, the fight/flight response kicks in and hopefully, if you care about your skin's security perimeter you will run away. You dont worry about getting a new evolutionary suit of armor or grow scales, you run away- rendering you immune to the "cross-fire" type of vulnerability in the body. One thing is certain, if you get shot, you dont usually phone your mother and blame her for leaving you with a vulnerability of soft skin that bullets pass through.....