Read below for my 'soapbox' version... (you have been warned)
-r
----- Original Message -----
From: Jason Muskat [mailto:Jason@TechDude.Ca]
To: "Sadler, Connie" [mailto:Connie_Sadler@brown.edu],
email@securityabsurdity.com, security-basics@securityfocus.com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
> Hello,
>
> Most of the time, security, any security, is about bringing that feel good
> feeling to the customer; having somebody to blame when something goes bad
is
> a plus as well.
>
> Real security is very rare as it costs a lot. Most people think they are
> secure because of a policy, or something just as silly like a sign on the
> wall.
You also forget that big business takes an attitude that they will sick a
swarm of lawyers after your butt if you do anything to harm their networks
and systems. Case in point is the recently posted article about someone who
found a flaw within a system environment, broke in, logged everything, told
them about it, gave them the necessary information, and asked for *nothing*
in return, only to be arrested for digital trespassing. Corporations feel
that they control everything, and so, therefore, in the eyes of their
attorneys, anything you do on their networks becomes their property. Their
policies are reflected of these principles and cultures (meaning, way of
thinking and how they 'do' things). Yes, the securification process costs
money, and yes, it is a never-ending cycle (contrary to some belief, it is a
'circular' cycle, rather than a straight line); however, executive
management want immediate resolution. They lack the conceptualization that,
what is secure now, *might be* unsecure a hour from now, a day from now, a
week, a month...you get the picture, right? And, executives are getting
tired of the "Chicken Little Symdrome" of that the sky is falling, or the
"Driver'd Ed Symdrome" of "*THIS*...COULD...HAPPEN...TO **YOU**!" with its
cheesey sound effects from the days of 35-38mm film projectors (sound fading
in and out, or the jittered sounds....ah, the days of bad films gone bad in
the film projector days). Go back to previous sentence: they want
resolution -- NOW!!!
You have to look at the entire hollistic aspect of everything. It's not
just about a policy, or a placard on a wall. It's about the culture of the
corporation, and how they view and feel about securing their environment.
If they take security seriously, the corporation appears to be too tightly
controlled, some even going to the extreme of stating that its a
dictatorship. If they don't consider security as an issue, and take a $400
million general insurance policy out, then their attitude is the "swarm and
kill" method of sicking their teams of lawyers after you if you digitally
trespass or smear/discredit the name and reputation of the corporation.
Either way, you loose.
There's nothing silly about having a placard on a wall. It indemnifies them
against liability. Remember: liability....bbbaaaaaaaadddd;
money....ggggooooooooooddd.
> I think it is imperative that government set and regulate minimal real
> information security standards especially in sectors that provide
essential
> services such as power, telecomm, and banking, and such. The regulations
> will allow the security people to enforce security despite a line of
> business not wanting to 'implement" a secure solution. People are still
> building new applications and workflows that use telnet and refuse to use
> SSH or any secure other secure methods such as telnet over SSL.
How would having yet another thing that our government would bolox up, be a
"good thing" for *US*??? Tell me how???? Imposing more regulations,
controls and governances -- which don't work -- add nothing but more
headaches and TONS more paperwork that *YOU* will have to fill out!!! Think
you fill out alot of formed requests right now? Wait. If you impose
sanctions for having government control of business, (1) corporations will
baulk at the whole idea, (2) if there's a will, there's a way, and both
corporations -- and hackers -- will find ways of circumventing everything
(which they already do -- look at HIPAA and SOX; only a small percentage of
healthcare providers actually give a damn about HIPAA -- most of them,
DON'T), and (3) impose an authoritarian control over people, which again,
will mean that there will be uprisings, etc. If you want to control the
masses, you MUST convince them that they *want* to be controlled, that they
*need* to be controlled, etc. Rules of engagement for American Dictatorship
101.
OK, let ms ask you a few more questions...does security work? Heck, does
auditing work? I've been in a heated debate now for well over a year about
*how* IT auditing should work. For one thing, just casually observing it,
it doesn't. For one thing you've got non-technical people making technical
observations based on a set of criteria established by some other party
elsewhere. How is that "auditing" (per se)? I do this because there are a
few people out there who are vehemently opposed to the so-called audits
conducted by the Big 4 these days. They all run the same sets of Open
Source tools and scripts, shlopp the company's name, some bits and pieces of
data into a 500-600 page template, and VOILA! -- instant IT audit assessment
of your company!!! ("That'll be $150,000 for your assessment, please.")
Nevermind the remediation aspect of it where they bring in busloads of
people who will do *nothing*, but sit at meetings, drinks lots of *your*
coffee and tell you that you're unsecure. No resolution, just alot of
fluff. If you ask specific questions to the auditors, you get blanks
stares, similar to that of a deer in headlights look. In the same sense,
you've got yer corporate Gestapo (er, um...I mean "security folks") who come
up the ranks of a rent-a-cop security company, or just recently passed their
blah-blah-blah certification -- no degree, no long-term experience -- now
telling you that YOU MUST, or YOU SHOULD -- do this, that and something
else. Are you *really* sure that to want to give this to an individual, or
group of individuals, who have absolutely no idea on what "security" is?
Better yet...let's use this analogy...
You own a company that processes toxic waste from a manufacturing plant to a
"waste processing center" (which in this case, is an open pit, say,
someplace out in Nevada). You're company has hired a trucking company to
haul this stuff, upon which any contact of any flesh (animal, plant, or
human), literally *melts* instantly. The trucking company won the RFP
contact from your company because they were the lowest bid in the contract
process (typical of both corporations and government...it's the "How Low Can
You Go" game), to hire a trucking company with a long history of traffic
violations, hiring foreign nationals from other countries (who speak very
little English, and barely understand the traffic signs) and have been given
a 3-8 hour course of how to drive a semi-tractor trailer. Now... Putting
it into *that* context, would you want to be the one who's responsible for
that company that just hired that waste hauler? And, of course, it's been
mandated -- by law -- that you must use a certified waste hauler, of which,
these people are licensed and certified -- barely -- but still legal.
The same would hold true of imposing hiring an outside security company,
which -- more than likely -- would be an "American" company, with call
centers elsewhere in the world, along with their "technicians", who are
completely oppose whatever timezone you are in (if it's daytime for you,
it's nighttime for them). The only "Americans" you'd see are the marketing
and sales reps that want to you sign a contract for monitoring your network
from a foreign country. Of course, there's also the "incident management"
aspect of it in terms of the SLA (that's "Service Level Agreements"),
stipulating the amount of work that <X> needs to perform if <Y> happens,
only to have them tell you that your contract doesn't stipulate that level
of support, and that it would cost an additional $500,000 to get it. Your
corporate executives could *swear* that they read all of the fine print, and
now suddenly have a vacation to take in Haiti with their (er) "family".
Interesting note though...we have 5 or 6 times more security today now than
we did in 1998 and 1999. Yet... we have nore intrusion "incidents" today
than ever. Yet, we're more "secure". Would imposing more regulation
actually *fix* the problem? I'd say 'no'...
"Security" is a matter of perception. If the companies don't see it as an
issue, it (quite simply) is *not* an issue.
>
> Regards,
>
> --
> Jason Muskat | GCUX - de VE3TSJ
> ____________________________
> TechDude
> e. Jason@TechDude.Ca
> m. 416 .414 .9934
>
> http://TechDude.Ca/
>
>
> > From: "Sadler, Connie" <Connie_Sadler@brown.edu>
> > Date: Wed, 10 May 2006 13:01:06 -0400
> > To: <email@securityabsurdity.com>, <security-basics@securityfocus.com>
> > Conversation: Article: "Security Absurdity: The Complete,
Unquestionable,
> And
> > Total Failure of Information Security."
> > Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,
> And
> > Total Failure of Information Security."
> >
> >
> > I think there is a *lot* more to this, but don't have the time to fully
> > respond. Good things to think about - yes! But InfoSec has never had the
> > authority to do what's best. Ideas are floated and quickly rejected, and
> > the "balance" we all try to provide is as much as many of us can "push"
> > out against a very resistant culture.
> >
> > Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> > Director, IT Security, Brown University
> > Box 1885, Providence, RI 02912
> > Office: 401-863-7266
> >
> >
> >
> > -----Original Message-----
> > From: email@securityabsurdity.com [mailto:email@securityabsurdity.com]
> > Sent: Wednesday, May 10, 2006 12:54 AM
> > To: security-basics@securityfocus.com
> > Subject: Article: "Security Absurdity: The Complete, Unquestionable, And
> > Total Failure of Information Security."
> >
> >
> > Security Absurdity: The Complete, Unquestionable, And Total Failure of
> > Information Security.
> >
> >
> > A long-overdue wake up call for the information security community.
> >
> >
> > Article: http://www.securityabsurdity.com/failure.php
> >
>
>
>
