Archive for the ‘Concept’ Category

HD Moore

HD Moore - Creator and Chief Architect of Metasploit and CSO of Rapid7

You Must Be THIS TALL To Ride

You Must Be THIS TALL To Ride

Most people understand “Moore’s Law“:

Compute power grows at the rate of doubling about every 2 years

At Metricon6, I asserted “HDMoore’s Law” version 1:

Casual Attacker power grows at the rate of Metasploit*

*HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 – a wildly successful and leveraged open-source penetration testing platform.

Perhaps the greatest value of this concept is it is DEMONSTRABLE. While it won’t tell you you’ve done “enough” to prevent breaches, it just might prove if you haven’t.


While this post is not about PCI DSS, HDMoore’s Law concept came to me after a year of me asking “Is PCI the ‘No Child Left Behind Act’ for IT Security?” and subsequently my intuitive allergy to the following two pervasive, thought terminating clichés / platitudes… perhaps you’ve also heard them:

I know PCI won’t stop a determined attacker, but it will at least stop a casual attacker

Really? Will it? Is that still true? and second:

PCI is better than nothing – it at least raises the bar.

But has it raised the bar enough to matter? to stop even the least skilled adversaries?

Contrary to our wishes, “security” doesn’t grow linearly with our effort. With sentient adversaries seeking to steal valuable information, security gains are realized when a defender has done “enough” to deter/exhaust the resources of an actual attacker.

There was a time when less skilled, “casual attackers” may have had only one or two tricks up their sleeves. If you were patched, a casual attacker would simply “move on”… Metasploit and other tools have shattered this assumption and now the “enough” is a moving target.

Point. Click. Pwn.

The pointy-clicky nature of Metasploit and ever-growing expert contributions makes it the ultimate script kiddie tool – and an greater force multiplier in the hands of more talented individuals/teams.

“Enough” Security – Metasploit as table stakes:

One of the most prevalent questions in all of IT security has long been:

What is “enough” security?

Clearly the answer is “it depends” (on a number of factors). One of which is Who is attacking us (which adversary classes?). If we use the latest version of Metasploit as a proxy for the lower bounds of attack capacity for the least skilled “casual attacker”, then one can measure at any time that you must be “this tall to ride”. Put another way, to stop breach attempts from even our weakest adversary class, defensive power needs to meet or exceed parity with $today’s free version of Metasploit. If you cannot rise to HDMoore’s Law, it’s possible the only adversary you can fend off is the friendly-fire, self-imposed one.

In the few live, graphical presentations on it I’ve given thus far, the recognition of its value, utility, and implications was nearly instantaneous. I’ll attempt to show just a few here in this initial post by example – which will also aid in defining it.

HDMoore’s Law in Juxtaposition – Drop-Off Rates by Adversary Classes (weakest to strongest):

  • Auditor/Assessor – in the case of PCI, this is the QSA – by far the easiest attacker to reliably “make go away”. Though they do not cause breaches (let’s hope), CISOs often see them as their top threat.
  • Casual Attacker – this is an unskilled target agnostic attacker. This is the weakest class of adversary that actually causes breaches. HDMoore’s Law is a measurable proxy for this class, who get stronger as Metasploit adds new exploits, evasions, payloads, features and the like.
  • Chaotic Actors – this class of ideoligically-fueled actors includes the likes of Anonymous and LulzSec and (with a few exceptions) is also fairly unskilled and tracks loosely to HDMoore’s Law. However, chaotic actors can be more determined and target-sticky. Consider them at 1.xx times the strength of HDMoore’s Law, but aimed at different asset types and seek to shame, embarrass, DDOS, targets rather than steal (e.g. credit card numbers).
  • Organized Crime – this financially motivated class recruits and cultivates serious hacking skills within economically rational parameters.
  • State Sponsored Espionage – with the power and resources of nation states behind them this is a whole different ball of wax, When facing what some (kitten killers) call APT and I refer to as Adaptive Persistent Adversaries, the model is more a game of chess and war of attrition if this class of adversary is after your less replaceable assets.
HDMoore's Law: Attacker Drop-Offs by Adversary Class

HDMoore's Law: Attacker Drop-Offs by Adversary Class

I already acknowledge:

  • I’m certain this articulation is imperfect (there are things I don’t like about it)
  • I fully expect to iterate on the following visualizations
  • The concept that all adversary classes conform to the same continuum is an acknowledged and willful oversimplification
  • AND… it is still a valuable abstraction regardless
  • And yes… this is more of a Metasploit’s Law (as HDMoore’s personal prowess is “off the charts) – but come on… HDMoore’s Law is far catchier

That’s enough for today… and I will be revisiting this topic as a building block concept.

A few departing seed questions for upcoming posts:

  • Exactly how fast is HDMoore’s Law growing and can we keep up?
  • Is your Security program tall enough to ride?
  • How can an organization shift from ticking compliance boxes to measuring themselves against HDMoore’s Law?
  • How frequently should an organization measure themselves?
  • How can PCI DSS rationalize/adjust itself to stop any real adversaries?
  • What does HDMoore’s Law mean for the organizations Wendy Nather (@451wendy) calls “Living Below the Security Poverty Line“?

Put your program to the test.

Grab the free version of Metasploit (at least) and measure if you can handle HDMoore’s Law.

One of the things on my mind lately is a deceptively simple idea/question:

How replaceable is an asset type?

And a nagging question/observation:

Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?

If we draw a continuum from “Highly Replaceable” through “Irreplaceable”, we can then map 1..n various asset types against said continuum. Please see Figure 1 below.

Replaceability Index/Continuum

Figure 1 - Replaceability Continuum

At the extremes, a human life is irreplaceable – whereas my mother-in-law’s Credit Card Number (CCN) is highly replaceable.

Highly Replaceable:

Let’s start with one of the most replaceable asset types… Who hasn’t had a Credit Card stolen (or several)? Think about it. How bad is it really? At most you are liable for a mere $50 – a fee I’ve yet to see anyone have to pay. What it tends to mean is an inconvenience of getting a new card issued, and the nuisance of direct billing logistics. Can it be worse? I’m sure it can be (and has been), but/and I’m pretty sure it isn’t worse than less replaceable assets types.

Irreplaceable/Less Replaceable:

On the other end of the continuum, we find less replaceable asset types: your Intellectual Property, your trade secrets, your corporate secrets, your proprietary research and development, etc. Whether this is, for example (but not limited to):

  • “the Colonel’s” secret herbs and spices which go into his world famous fried chicken (including the alleged “addictive chemical that makes you crave it fortnightly” #NameThatMovie)
  • Coca-Cola’s highly guarded recipe for brown sugar water
  • research data for the next wonder-drug (think Viagra)
  • Mergers & Acquisition files
  • Oil & Mineral Prospecting Data
  • Military Defense Secrets like the F-35 Joint Strike Fighter plans
And then there are the irreplaceable losses of human life. While examples of cyber attacks affecting human lives are rare, debated, dismissed, exaggerated, many-of-the-above… clearly failures of critical infrastructure, power grids, mass transit, defense infrastructure and the like can lead to such losses.
My prior question was deliberately coy. I have some answers/theories (which I will share in more detail in subsequent posts). So again:
Why do we spend the majority of our time in IT security on the most replaceable assets like regulated credit card data – at the opportunity cost and neglect of less-and-irreplaceable assets like Intellectual Property, Corporate Secrets and Critical Infrastructure?
A few teasers to start your thinking:
  • As a CIO once told me, “I might be hacked, but I will be fined”
  • Is it that we “Fear the Auditor more than the attacker?”
  • Are we erroneously assuming that these “best practices” for defending card data equally apply to other adversary classes (think state sponsored espionage and/or ideologically fueled chaotic actors) seeking other asset classes (which are often in other parts of our IT)? More on this later.
  • Is it that we have more available data on regulated data types due to mandatory disclosure laws and we’re looking “where the light is best”?
Why do you think we focus the bulk of our scarce IT Security time and resources on the most replaceable of our asset types? If you agree and this is also nagging at you, what are you doing about it?
NOTE: As I write this, it occurred to me this concept may have affinity with something Dan Geer has been puzzling over recently – describing security as a function of “dependence”.

*There are caveats per your contracts. E.g. you may need to report the fraud in a reasonable timeframe.


Posted: 2011/10/24 in Concept, Expectations

So much in life is about managing expectations…

Given the title which inspired this blog, many of the topics and issues raised here will not be cut and dry – nor black and white. Some concepts are susceptible to intellectually honest discussion and disagreement – some will require it. Some may even appear polarizing. I’ve been accused by friends and colleagues of being an “Intellectually Honest Troublemaker” though trouble isn’t my objective. I’ve also been called a “Provocateur of the best kind”.

More complex issues (by their nature) aren’t going to fit into neat boxes.The mostly deeply and fervently held false beliefs, dogma, and/or conventional wisdom are likely to encounter the most active resistance when one tries to pry them from clutching minds.

More than anything, I want to make people think. Therefore, this might get messy…

I am OK with this.

  • I expect imperfection, in fact at times I am aiming for it. It would be a mistake if I were to over-rotate and accidentally discourage value-adding exchanges to improve an idea.
  • I expect some topics will raise more questions than they answer (at least initially).
  • I expect some topics will upset people – especially if they are very attached to a belief and/or don’t like the implications of the thread.
  • I expect (upon the revelation of new data/perspective) to evolve and adapt a position or opinion over time. I hope that my readers/commenters do the same.
  • I expect to get called out when I’ve made mistakes. I hope it is done in a cordial and helpful manner.


Posted: 2009/10/08 in Concept

Wikipedia describes Cognitive Dissonance as:

an uncomfortable feeling caused by holding two contradictory ideas simultaneously.


pertaining to the mental processes of perception, memory, judgment, and reasoning, as contrasted with emotional and volitional processes.


One who differs in sentiment or opinion, esp. from the majority

Cognitive Dissidents:

Those of us who sense a tension and growing disconnect between conventional wisdom and reality – and have the courage to challenge the majority with rational, critical discussion, debate and dialectic toward a more aligned, enlightened, and comprehensive understanding.