Rant: Terminology, Semantics, Pedantic Rant

“Unusual and new-coined words are, doubtless, an evil; but vagueness, confusion, and imperfect conveyance of our thoughts, are a far greater,” wrote English poet Samuel Taylor Coleridge in Biographia Literaria, 1817.

Introduction to Formal Semantics “Generally, the term “Formal semantics” may refer to 3 uses, it could be used in computer sciences, in logic, or in linguistics. This course talks about its linguistic sense, that  is, it’s  a branch of Semantics which aims to explain and reason the meanings of language with precise mathematical models. It is really useful for quantitative linguistic research, and natural language understanding/processing.”

For a field that must pay attention to semantics when working with computers (such as “SNMP … that’s port 161, right?”), Information Technology (IT) uses technical terms carelessly. Granted, in ordinary language, terms change their meaning. Sir Thomas More’s Utopia was not a vision of an ideal community; now “ideal community” is what “utopia” means. An “Epicure” once sought tranquility, and tranquility would require modest pleasure; now an Epicure is a gourmet, seeking pleasure. These changes occurred over centuries. When technical terms change meaning within a decade, technical terms approach uselessness.

Language is not how the world was wired. Language is used to describe and denote, to convey and coalesce. Terms should not be used to define a problem (to delineate), but terms should be used to give a problem definition (to describe).

Advanced Persistent Threat (APT): See Michael S. Mimoso’s Beware the APT Hype Machine in Information Security Magazine’s Essential Guide to Threat Management [pdf]. APT describes the motives of the attacker, not a different kind of attack. Marketing, however, likes terms they can use for product differentiation. Expect products to be marketed with APT capabilities or as APT defenses, even though this characteristic is either trivially true or patently false.

“Advanced” describes the background, preparation and planning that the attacker employs. The techniques are not new.

I received an email whose was subject was “Study finds lack of defenses against advanced persistent threats‏”. On the face of it, that would be a silly study, akin to “study finds damp things are moist.” There is no defense against the motivated, persistent attacker. That’s why you have detective mechanisms and procedures (or “controls”) to determine if an attack is underway or has occurred. You have preventative mechanisms and you understand that they are not perfectly reliable, so you implement detective mechanisms or procedures.

The email body referred to the article More firms targeted by advanced persistent threats, study finds by Robert Westervelt. He summarizes a Ponemon Institute study (funded by network security monitoring vendor NetWitness Corp).

Those survey (sic) also found a rising level of fear that organizations are not prepared to prevent APTs. About half of those surveyed said security-enabling technologies are not adequate and 64% report their security personnel were not up to dealing with the threat. The survey supports previous warnings from security experts who say perimeter defenses are inadequate against APTs.

It is easy to slip into thinking of APTs as a type of threat instead of recognizing them as a weakness in defenses. Of course perimeter defenses are inadequate; if they were adequate there would be no attack vector for the motivated person or organization to exploit, and hence no APT.

When you hear that an organization was a victim of an advanced persistent threat attack, you should recognize that no single vulnerability was exploited. Instead, multiple vulnerabilities were exploited. No single preventative measure failed; multiple preventative measures failed.

Identity and Access Management (IAM): Idan Shoham (CTO at Hitachi ID Systems) has his own ax to grind about IAM – would it be more correctly referred to as “Entitlement Administration and Governance (EAG)”?

Layer 4 Switch: What are they getting at?

IPVS (IP Virtual Server) implements transport-layer load balancing inside the Linux kernel, so called Layer-4 switching.

PCMag layer 4 switch: A network device that integrates routing and switching by forwarding traffic at layer 2 speed using layer 4 and layer 3 information.

thenetworkencyclopedia: Vendors tout Layer 4 switches as being able to use TCP information for prioritizing traffic by application. For example, to prioritize Hypertext Transfer Protocol (HTTP) traffic, a Layer 4 switch would give priority to packets whose layer 4 (TCP) information includes TCP port number 80, the standard port number for HTTP communication.

horms.net: Layer 4 switching is a term that has almost as many meanings as it has people using the term. In the context of this paper it refers to the ability to multiplex connections received from end-users to back-end servers.

iOS, IOS: It is unfortunate that Apple iOS and Cisco IOS are operating systems. It is not the first time such as name collision has occurred; RCA (later acquired by Sperry) had a product named DOS before Microsoft, and “dos” is the generic term for a disk operating system.

EDT, EST, PDT, PST and so forth: I received a “Polite reminder” about an Upcoming Webcast: One week away – November 18th, 2009 at 2:00 PM EDT (1800 GMT). EDT in November? That letter in the middle of EDT means something. The East coast of the United States will be observing Standard time on November 18. I realize that you mean “EST,” not EDT. However, if I drop that text on my calendar and allow it to convert to Pacific time, it will take the literal Eastern Daylight Time and convert it to Pacific Standard time. My calendar entry will be an hour off.

That letter in the middle of EDT means something. Semantics is important. Just say “Eastern” or “ET” and avoid such problems.

Hacker: From “self-taught programmer” to “person who figures things out” to “system invader” to “information thief” to “attacker,” you cannot use the term “hacker” without explaining what you mean. When you have to explain the term, the term has lost its informative value, its denotation. It can still be useful for invective, hyperbole or other emphasis; that is, the term still has connotation. If you must clarify the word whenever you use the word, avoid the word.

RFC 2828 (Glossary) defines “hacker” as:

(I, RECOMMENDED Internet definition) Someone with a strong interest in computers, who enjoys learning about them and experimenting with them. (See: cracker.)

(C, commentary or additional usage guidance) The recommended definition is the original meaning of the term (circa 1960), which then had a neutral or positive connotation of “someone who figures things out and makes something cool happen”. Today, the term is frequently misused, especially by journalists, to have the pejorative meaning of cracker.

For further clarification and characterization, you may wish to consult The New Hacker’s Dictionary.

Penetration test: A penetration test begins with a contract. This avoids the misunderstanding and liability which will arise due to the disagreement about what a penetration test entails; what the delivered product (or “deliverable”) should be, what the process and result can look like.

PCI DSS distinguishes between vulnerability assessment and penetration testing [pdf].

A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.

What purpose does that word (“simply”) serve? Dismissing the role of vulnerability assessment does a disservice to risk analysis and mitigation. Vulnerability assessment combined with vulnerability mitigation is more rigorous, easier to document and frequently less expensive than what is being referred to as penetration testing.

Securosis, L.L.C. [pdf] distinguishes among

  • general vulnerability assessment (characterized by port scans, service identification including version, configuration details),
  • web application vulnerability assessment (characterized by web application attack methods, such as cross-site scripting and cross-site request forgeries), and
  • penetration testing (characterized by verifying that a detected vulnerability presents an actual risk).

Let’s distinguish between vulnerability scans and vulnerability assessments. A vulnerability scan can be conducted by scanning for library components (some sort of signature), and associating the components with reported security vulnerabilities. Following the scan, you perform an assessment of the situations. What risks exist? What mitigation measures are available? Where indicated, implement mitigation measures. This is a vulnerability assessment and mitigation plan. The vulnerability scan consists of definable tasks which can be implemented as a product. A vulnerability assessment requires interpretation. A more robust vulnerability assessment will look beyond vulnerability scans and recognize that there are other sources of risk.

To perform a penetration test, one must identify a vulnerability and then attempt to exploit it in a financially compromising manner.

The distinction between “vulnerability assessment” and “penetration test” is largely a marketing distinction. More rigorous assessments with less definable tasks should supplement these standardized and mechanical reviews. What name should be given to these more rigorous vulnerability assessments? Since less rigorous vulnerability scans are already marketed as vulnerability assessment tools, the term “penetration test” has been adopted for the broad category of “more rigorous vulnerability assessment.”

This returns us to the contract. What is fair game in the penetration test? The PCI Security Standards Council seems to indicate “everything.” This vagueness in contractual terms invites a challenge. No executive should be willing to accept that interpretation. When having a penetration test conducted, or when conducting a penetration test, get the constraints in writing.

Consider the  case of a cloud service provider, particularly where many companies share the cloud service. Should each company conduct penetration tests against the cloud service? Does that penetration test include compromising the physical security of the shared site? What would client companies accept as reasonable actions from other client companies? In other words, what would such a penetration test look like? What is a penetration test?

Worm, Virus, Trojan horse: The distinction between worm and virus has disappeared, even amongst experts. “Worm” used to reserved to describe self-proliferating viruses; malware that required no human intervention to propagate. SANS and RFC 2828 defines Worm as:

A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

A running instance of Blaster, for example, would seek other Windows machines running the DCOM RPC, and (if not patched) install a copy and start it.

Lately, “worm” has been expanded to include malware that propagates with minimal human intervention. Conficker, for example, leaves a copy of itself on unprotected network shares and on USB drives (“thumb drives”). Trivial human intervention, such as a double-click or selecting an Autorun option) is required to infect a machine with Conficker, and Microsoft considers this a “worm”.

Meanwhile, “virus” has been expanded to refer to malware which needs little or no human intervention to propagate. In general parlance, the distinctions among worm, virus and Trojan Horse has disappeared.

The SANS and RFC 2828 definition of virus:

A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting — i.e., inserting a copy of itself into and becoming part of — another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Note that the self-sufficient and self-replicating characteristics of the malware distinguishes a worm from a virus. A worm is a stand-alone program while a virus requires another program.

Very few new (that is, previously undetected) malware samples use this parasitic approach to propagation. Malware developers don’t do that any more. A surprising consequence is that there are almost no new viruses being created. This should be news!

A Trojan Horse is malicious software that tempts the user to install it by offering an attractive feature (such as a screen saver or emoticons), but includes unattractive, usually undisclosed, features (enable remote access, send SPAM) as well.

RFC 2828 defines “Trojan horse” as:

(I) A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

The distinctions among virus, worm, Trojan horse, spyware and adware are blurred because anti-virus software is expected to defend against them all. The reasoning: if anti-virus software reports it, it must be a virus.

As nomenclature, this system is appalling. It is better to refer to malware, propagation methods (“requires no manual intervention,” “requires trivial human intervention that is likely to occur,” or “requires significant human intervention”) and payloads (“installs remote access method”, “sends file to attacker”). Be clear about the threat, stop implying living creatures infesting a host.

This isn’t an impractical, pedantic rant. We should recognize that “anti-virus software” addresses much more than viruses. It addresses worms, some trojan horses, some spyware, some adware, and some other risks. Anti-virus software addresses a vague set of malware that cannot precisely overlap with customer expectations. Sure, detect viruses, but that’s a limited expectation. Worms, too. But Trojan horses and spyware? In some cases, customers install the Trojan horse software for the promised features and don’t care about the undisclosed information leakage issues. That’s a technical, educational, marketing and security issue we haven’t addressed.

Firewall: Sounds hot. Marketing, product differentiation hot.

Marketing has an important role to play when informing you about how products can fill your needs. Marketing does not do you a service by inventing a new product category then leaving you to determine if there is a need for the product.

Ports: Initially (citation required) “firewall” referred to the device (hardware) or software that dropped or ignored packets which specified particular ports. That is, hardware or software which blocked inbound or outbound port access.

Addresses: Packets from (or to) specific addresses might be dropped. This “blacklisting” is sometimes considered a “firewall.” At other times, it is considered an Intrusion Prevention System (IPS).

Figure 1: IP Packet Header Structure

So far we’re dropping packets with certain ports or with certain addresses specified. There are other fields of an IP packet we can interpret and then choose to ignore the packet. That is, you can have “malformed” (unexpected) traffic packets with anomalous (therefore suspicious) flags or lengths. A product which drops packets based upon these characteristics is sometimes described as an Intrusion Prevention System (IPS) and sometimes included in a product sold as a firewall.

We can also monitor the relationship amongst packets; that is, we can add “state” to a packet and ignore packets with an anomalous (therefore suspicious) “state”.

This is just the packet header. If we examine the packet data and interpret it for malicious content, we may be performing the work of products sold as “application firewalls.” For example, a Web Application Firewall (WAF) will watch for content which resembles a SQL injection attack (unexpected SQL commands in what should be data), a cross-site scripting attack (unexpected Java script is what should be data), or other web application attack pattern and the WAF ignores (drops) that traffic.

A review of OSI layers could be inserted here. Physical, Data-Link, Network, Transport, Session, Presentation, Application … a device which drops frames and packets at any layer seems to be referred to as a “firewall.”

So what is a firewall? “Firewall” will indicate that network traffic is intentionally ignored for some reason. Beyond that, pay attention to the context. Get the technical details, not the marketing phrase. Get the description, not the connotation.

Rootkit: When a hacker successfully compromises a system (obtained root authority), they install their utilities (their “kit”). This “rootkit” enables them to maintain control of the compromised system and expand their activities to other systems. The rootkit would need to be hidden from system administration tools, such as the process list. There were various techniques (“rootkit technologies”) for hiding the rootkit.

Now “rootkit: has come to refer to any “hidden” (that is, could be missed) program or process. What the kit consists of or can perform is no longer the characteristic of a rootkit, it is the “hidden” (darn, didn’t see it) nature that makes it a “rootkit”.

Zero-day (attack, threat, or vulnerability): “Zero-day” used to refer to the vendor’s response time. When a vendor learns of a vulnerability in their product, they must estimate how long it might take before the vulnerability is successfully exploited. Often a vulnerability cannot be exploited in a practical way, and the vulnerability can be patched as part of a scheduled release cycle. Often, the vendor has a number of days between notification of the vulnerability and its exploitation, and that number exceeds zero.

When the vendor learns of a vulnerability in their product because someone is currently exploiting that vulnerability, then they have zero days to provide a patch before the vulnerability is exploited. The July 6, 2009 vulnerability in Microsoft’s DirectShow DLL (msvidctl.dll) ActiveX control (SANS handler diary entry) appears to be just such a 0-day vulnerability. The vendor was privately informed of the vulnerability that was being exploited in drive-by attacks.

Now the term is used to refer to any vulnerability that is known by only a few people. The few people may be in contact with the vendor and working on mitigation, or may be figuring out how to exploit the vulnerability. Shon Harris says that “zero-day means that there is no fix”. E-Eye maintains a Zer0-Day Tracker of “publicly disclosed and/or used in attacks, and do not have any published vendor-supplied patch.” Proof of concept is not exploitation. Is public disclosure with a proof of concept a “zero-day”? Should 0day vulnerability be synonymous with “identified flaw, with no patch available”? Given these definitions, every vulnerability goes through a zero-day phase. Every vulnerability has a time when it is unknown, a time when it is known to very few people, a time when the vendor has no patch. In that case, “zero-day” is not a particularly useful term; all vulnerabilities have a “zero-day” characteristic. “Utility” should not be confused with “correctness,” but terms can be misleading.

Instead of “time to respond to exploit” being the defining characteristic of “zero-day vulnerability,” “how long has it been known” has become the defining characteristic. Can we return to its previous definition, when the term could be used to make distinctions and terms not used as hyperbole? Please?

Intrusion: As in Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Joel Snyder wrote an article titled “IDS or IPS? Differences and benefits of intrusion detection and prevention systems.” SearchSecurity.com distributes it. I’ll let him make the point.

… since both IDS and IPS have the word “intrusion” as the beginning of their acronym, you may be wondering why I haven’t mentioned “intrusion” as part of the function of either IDS or IPS. Partly that’s because the word “intrusion” is so vague that it’s difficult to know what an intrusion is. Certainly, someone actively trying to break into a network is an intruder. But is a virus-infected PC an “intrusion?” Is someone performing network reconnaissance an intruder… or merely someone doing research? And if a malicious actor is in the network legitimately — for example, a rogue employee — are their legitimate and illegitimate actions intrusions or something else?

The more important reason for leaving “intrusion” out of the description for both IDS and IPS is that they aren’t very good at catching true intruders. An IPS will block known attacks very well, but most of those attacks are either network reconnaissance or automated scans, looking or other systems to infect — hardly “intrusions” in the classic sense of the word. The best Intrusion Prevention System in this case is the firewall, which doesn’t let inappropriate traffic into the network in the first place.

It’s the misuse of the word “intrusion” in referring to these visibility and control technologies which has caused such confusion and misguided expectations in staff at enterprises that have deployed either IDS or IPS.

IDS: Passively monitors traffic for anomalous behavior. Clipping levels would trigger alerts.

IPS: Monitors traffic in-line, as a firewall would. Drops traffic that matches previously identified patterns, permits everything else.

Firewall: Monitors traffic in-line, permits selected types of traffic, drops everything else.

Thin client: For CISSP test purposes, “thin client” is a single sign-on (SSO) solution. Sign in to the thin client and these credentials will be used for all (or nearly all) applications you need.

A Windows XPe (XP embedded) thin client is a reduced feature set of Windows XP. This is not a SSO solution, although you may also implement Active Directory and use it as a SSO. An XPe platform is an XP platform, but with fewer operating system components (a “thinner” operating system).

A Windows CE thin client is a “thin” (few features, low maintenance, low overhead) operating system client. It, too, is not a SSO solution. However, you may choose to implement a Service Oriented Architecture (SOA) such as Citrix as an application delivery platform (where the application runs in a session on the server). With an SOA, you still need a device with a limited operating system, often a Windows-based operating system, to act as a “terminal” connecting to the server. You have implemented SSO, but credit goes to the SOA. The “thin” client could just as well have been a “fat” client for SOA/Citrix/SSO purposes.

Alternately, you may be focusing on the hardware that was implemented. In the case, the “thin client” has a reduced feature set, including no moving parts, no disk drive.

Forensics: Some will call the Root Cause Analysis described in this blog “forensics.” I urge you to avoid that term. If you have declared an incident, you’re should be following your Incident Response procedure. If you haven’t declared and incident, you are working on Root Cause Analysis (which works more efficiently with a documented procedure).  You should recognize that doing a forensic investigation requires proper procedures (characterized by assigning a case number, preserving the evidence, chain of custody and such). Incident Response has its own PICERL procedure. Forensic Investigation, Incident Response and Root Cause Analysis have many tools in common, but their procedures are not identical.

Using the term “forensics” lightly jeopardizes your ability to defend your proper procedures. Suppose you were called upon to give testimony about one of your forensic cases. Under cross-examination, you are asked about email where you referred to a web history review as “forensics.”

“Do you have a forensic procedure?” you are asked.

“Yes,” you reply.

“Do you always follow your forensic procedure?”

“Yes.”

“I draw your attention to this email, in which you refer to a forensic investigation of web browser history. I see no mention of a case number. Was a case number assigned?”

“No.”

“I ask again, do you always follow forensic procedure?”

At this point, your testimony is of little value.

Semantics is important. Use “forensics” to refer to the investigations you may need to defend in court.

Where does this leave “network forensics,” the practice of network traffic analysis to determine its purpose? I am still looking for case law that supported the admissibility of packet captures. I would not wish to rely upon network traces as evidence. Network forensics is an exotic, fancy phrase for network analysis. It sells, but has questionable accuracy.

Social engineering: You mean confidence game? Grifter? Bunco artist? Swindler? Diddling (the term Edgar Allen Poe would have recognized)? Does every generation need its own term that sanitizes fraud? Even “fun” is from the Middle English fon “to befool,” hoax, or trick; surviving as “funny money” (as in “counterfeit”).

Valid: At the risk of weakening any confidence you may have in the preceding rants … Valid refers to an argument form; to reasoning. It does not refer to responses or data. People refer to “valid data” when they talk about “expected data” or data which conforms with a standard.

When completing a form for Delta Airlines, I used the (xxx) xxx-xxxx format when supplying a telephone number. The form returned the response

The following errors occured:
– Please enter a valid phone number

Pardon me? The phone number is my phone number. I believe the point the web developer was trying to make was that the phone number is not in a format you choose to interpret. The onus is upon me to guess what format(s) you are prepared to interpret. I must discover your expectations. “Enter a valid phone number” is poor customer service, and just lazy.

When “Washington” is typed into a social security number field, the response should not be “invalid entry.” It is an unanticipated response, an unacceptable response and an uninterpretable response. During design, referring to “valid data” brushes over the stumbling block of many programmers: the specifications. “Valid input” tells you nothing.

However, I am a fan of validated parking. I don’t know what validation occurs when a ticket is stamped. Verification (of visit) or authorization (to park) I could understand. Validation, though, I understand only because it is the traditional phrase.

Just: The dismissive use of “just” is to be avoided. “Its just semantics,” for example, asserts that we can dismiss semantics. No justification is provided. “Its just politics” has no explanatory value.

Application Abuse: Mykonos Software published a white paper titled “Understanding and Responding to the Five Phases of Web Application Abuse“. The five phases:

  1. Silent Introspection (reconnaissance)
  2. Attack Vector Establishment
  3. Implementation
  4. Automation
  5. Maintenance

They do a standard summary of web site attacks. My beef is with referring to this activity as “web site abuse”. The attackers are using the web site in ways the web site owner had not intended and does not desire, but has enabled. Place the focus upon removing these undesirable web features.

Anyone else see a pattern of blaming others for our own mistakes?

The moral: Semantics is about meaning and being clear; pedantic is about insistence, dogmatic insistence about conformity with a norm. Operational definitions, definitions that take ordinary language terms and use them for specific purposes (“for the purposes of our discussion, I will use such-and-such to mean”) are a confusing and dangerous practice. The speaker rarely adheres to their operational definition, switching between the common usage and specialized purpose. Recognize that these terms have become vague through misuse and focus upon the characteristic that is being identified. Be tolerant. Be clear about expectations. Selah.

Corollary: How the heck does a hiring manager, much less an HR recruiter, determine if a job candidate is qualified? Since terms have one usage in one context (a certification exam) and another usage in another context (periodicals) and yet another usage in another context (vendor claims), how do you strike up an intelligent conversation with a stranger, quickly?

“’Tis writ somewhat crabbedly, and most damnably long.”

E. R. Eddison, The Worm Ouroboros

Advertisements

One Response to Rant: Terminology, Semantics, Pedantic Rant

  1. […] Forensics Tools Yes, much as I dislike this abuse of the word “Forensics” (see Rant), I’ll recognize that it is a very popular […]