Read below for my 'soapbox' version... (you have been warned)
-r
----- Original Message -----
From: Jason Muskat [mailto:Jason@TechDude.Ca]
To: "Sadler, Connie" [mailto:Connie_Sadler@brown.edu],
email@securityabsurdity.com, security-basics@securityfocus.com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
Hello,
Most of the time, security, any security, is about bringing that feel good
feeling to the customer; having somebody to blame when something goes bad is
a plus as well.
Real security is very rare as it costs a lot. Most people think they are
secure because of a policy, or something just as silly like a sign on the
wall.
You also forget that big business takes an attitude that they will sick a swarm
of lawyers after your butt if you do anything to harm their networks and
systems. Case in point is the recently posted article about someone who found
a flaw within a system environment, broke in, logged everything, told them
about it, gave them the necessary information, and asked for *nothing* in
return, only to be arrested for digital trespassing. Corporations feel that
they control everything, and so, therefore, in the eyes of their attorneys,
anything you do on their networks becomes their property. Their policies are
reflected of these principles and cultures (meaning, way of thinking and how
they 'do' things). Yes, the securification process costs money, and yes, it is
a never-ending cycle (contrary to some belief, it is a 'circular' cycle, rather
than a straight line); however, executive management want immediate resolution.
They lack the conceptualization that, what is secure now, *might be* unsecure
a hour from now, a day from now, a week, a month...you get the picture, right?
And, executives are getting tired of the "Chicken Little Symdrome" of that the
sky is falling, or the "Driver'd Ed Symdrome" of "*THIS*...COULD...HAPPEN...TO
**YOU**!" with its cheesey sound effects from the days of 35-38mm film
projectors (sound fading in and out, or the jittered sounds....ah, the days of
bad films gone bad in the film projector days). Go back to previous sentence:
they want resolution -- NOW!!!
You have to look at the entire hollistic aspect of everything. It's not just
about a policy, or a placard on a wall. It's about the culture of the
corporation, and how they view and feel about securing their environment. If
they take security seriously, the corporation appears to be too tightly
controlled, some even going to the extreme of stating that its a dictatorship.
If they don't consider security as an issue, and take a $400 million general
insurance policy out, then their attitude is the "swarm and kill" method of
sicking their teams of lawyers after you if you digitally trespass or
smear/discredit the name and reputation of the corporation. Either way, you
loose.
There's nothing silly about having a placard on a wall. It indemnifies them
against liability. Remember: liability....bbbaaaaaaaadddd;
money....ggggooooooooooddd.
I think it is imperative that government set and regulate minimal real
information security standards especially in sectors that provide essential
services such as power, telecomm, and banking, and such. The regulations
will allow the security people to enforce security despite a line of
business not wanting to 'implement" a secure solution. People are still
building new applications and workflows that use telnet and refuse to use
SSH or any secure other secure methods such as telnet over SSL.
How would having yet another thing that our government would bolox up, be a
"good thing" for *US*??? Tell me how???? Imposing more regulations, controls
and governances -- which don't work -- add nothing but more headaches and TONS
more paperwork that *YOU* will have to fill out!!! Think you fill out alot of
formed requests right now? Wait. If you impose sanctions for having
government control of business, (1) corporations will baulk at the whole idea,
(2) if there's a will, there's a way, and both corporations -- and hackers --
will find ways of circumventing everything (which they already do -- look at
HIPAA and SOX; only a small percentage of healthcare providers actually give a
damn about HIPAA -- most of them, DON'T), and (3) impose an authoritarian
control over people, which again, will mean that there will be uprisings, etc.
If you want to control the masses, you MUST convince them that they *want* to
be controlled, that they *need* to be controlled, etc. Rules of engagement for
American Dictatorship 101.
OK, let ms ask you a few more questions...does security work? Heck, does
auditing work? I've been in a heated debate now for well over a year about
*how* IT auditing should work. For one thing, just casually observing it, it
doesn't. For one thing you've got non-technical people making technical
observations based on a set of criteria established by some other party
elsewhere. How is that "auditing" (per se)? I do this because there are a few
people out there who are vehemently opposed to the so-called audits conducted
by the Big 4 these days. They all run the same sets of Open Source tools and
scripts, shlopp the company's name, some bits and pieces of data into a 500-600
page template, and VOILA! -- instant IT audit assessment of your company!!!
("That'll be $150,000 for your assessment, please.") Nevermind the remediation
aspect of it where they bring in busloads of people who will do *nothing*, but
sit at meetings, drinks lots of *your* coffee and tell you that you're
unsecure. No resolution, just alot of fluff. If you ask specific questions to
the auditors, you get blanks stares, similar to that of a deer in headlights
look. In the same sense, you've got yer corporate Gestapo (er, um...I mean
"security folks") who come up the ranks of a rent-a-cop security company, or
just recently passed their blah-blah-blah certification -- no degree, no
long-term experience -- now telling you that YOU MUST, or YOU SHOULD -- do
this, that and something else. Are you *really* sure that to want to give this
to an individual, or group of individuals, who have absolutely no idea on what
"security" is?
Better yet...let's use this analogy...
You own a company that processes toxic waste from a manufacturing plant to a
"waste processing center" (which in this case, is an open pit, say, someplace
out in Nevada). You're company has hired a trucking company to haul this
stuff, upon which any contact of any flesh (animal, plant, or human), literally
*melts* instantly. The trucking company won the RFP contact from your company
because they were the lowest bid in the contract process (typical of both
corporations and government...it's the "How Low Can You Go" game), to hire a
trucking company with a long history of traffic violations, hiring foreign
nationals from other countries (who speak very little English, and barely
understand the traffic signs) and have been given a 3-8 hour course of how to
drive a semi-tractor trailer. Now... Putting it into *that* context, would
you want to be the one who's responsible for that company that just hired that
waste hauler? And, of course, it's been mandated -- by law -- that you must
use a certified waste hauler, of which, these people are licensed and certified
-- barely -- but still legal.
The same would hold true of imposing hiring an outside security company, which
-- more than likely -- would be an "American" company, with call centers
elsewhere in the world, along with their "technicians", who are completely
oppose whatever timezone you are in (if it's daytime for you, it's nighttime
for them). The only "Americans" you'd see are the marketing and sales reps
that want to you sign a contract for monitoring your network from a foreign
country. Of course, there's also the "incident management" aspect of it in
terms of the SLA (that's "Service Level Agreements"), stipulating the amount of
work that <X> needs to perform if <Y> happens, only to have them tell you that
your contract doesn't stipulate that level of support, and that it would cost
an additional $500,000 to get it. Your corporate executives could *swear* that
they read all of the fine print, and now suddenly have a vacation to take in
Haiti with their (er) "family".
Interesting note though...we have 5 or 6 times more security today now than we
did in 1998 and 1999. Yet... we have nore intrusion "incidents" today than
ever. Yet, we're more "secure". Would imposing more regulation actually *fix*
the problem? I'd say 'no'...
"Security" is a matter of perception. If the companies don't see it as an
issue, it (quite simply) is *not* an issue.
Regards,
--
Jason Muskat | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
From: "Sadler, Connie" <Connie_Sadler@brown.edu>
Date: Wed, 10 May 2006 13:01:06 -0400
To: <email@securityabsurdity.com>, <security-basics@securityfocus.com>
Conversation: Article: "Security Absurdity: The Complete, Unquestionable,
And
Total Failure of Information Security."
Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,
And
Total Failure of Information Security."
I think there is a *lot* more to this, but don't have the time to fully
respond. Good things to think about - yes! But InfoSec has never had the
authority to do what's best. Ideas are floated and quickly rejected, and
the "balance" we all try to provide is as much as many of us can "push"
out against a very resistant culture.
Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Office: 401-863-7266
-----Original Message-----
From: email@securityabsurdity.com [mailto:email@securityabsurdity.com]
Sent: Wednesday, May 10, 2006 12:54 AM
To: security-basics@securityfocus.com
Subject: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
Security Absurdity: The Complete, Unquestionable, And Total Failure of
Information Security.
A long-overdue wake up call for the information security community.
Article: http://www.securityabsurdity.com/failure.php
