Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Thu, 11 May 2006 11:16:00 -0500
Read below for my 'soapbox' version... (you have been warned) -r ----- Original Message ----- From: Jason Muskat [mailto:Jason () TechDude Ca] To: "Sadler, Connie" [mailto:Connie_Sadler () brown edu], email () securityabsurdity com, security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Hello, Most of the time, security, any security, is about bringing that feel good feeling to the customer; having somebody to blame when something goes bad is a plus as well. Real security is very rare as it costs a lot. Most people think they are secure because of a policy, or something just as silly like a sign on the wall.
You also forget that big business takes an attitude that they will sick a swarm of lawyers after your butt if you do anything to harm their networks and systems. Case in point is the recently posted article about someone who found a flaw within a system environment, broke in, logged everything, told them about it, gave them the necessary information, and asked for *nothing* in return, only to be arrested for digital trespassing. Corporations feel that they control everything, and so, therefore, in the eyes of their attorneys, anything you do on their networks becomes their property. Their policies are reflected of these principles and cultures (meaning, way of thinking and how they 'do' things). Yes, the securification process costs money, and yes, it is a never-ending cycle (contrary to some belief, it is a 'circular' cycle, rather than a straight line); however, executive management want immediate resolution. They lack the conceptualization that, what is secure now, *might be* unsecure a hour from now, a day from now, a week, a month...you get the picture, right? And, executives are getting tired of the "Chicken Little Symdrome" of that the sky is falling, or the "Driver'd Ed Symdrome" of "*THIS*...COULD...HAPPEN...TO **YOU**!" with its cheesey sound effects from the days of 35-38mm film projectors (sound fading in and out, or the jittered sounds....ah, the days of bad films gone bad in the film projector days). Go back to previous sentence: they want resolution -- NOW!!! You have to look at the entire hollistic aspect of everything. It's not just about a policy, or a placard on a wall. It's about the culture of the corporation, and how they view and feel about securing their environment. If they take security seriously, the corporation appears to be too tightly controlled, some even going to the extreme of stating that its a dictatorship. If they don't consider security as an issue, and take a $400 million general insurance policy out, then their attitude is the "swarm and kill" method of sicking their teams of lawyers after you if you digitally trespass or smear/discredit the name and reputation of the corporation. Either way, you loose. There's nothing silly about having a placard on a wall. It indemnifies them against liability. Remember: liability....bbbaaaaaaaadddd; money....ggggooooooooooddd.
I think it is imperative that government set and regulate minimal real information security standards especially in sectors that provide essential services such as power, telecomm, and banking, and such. The regulations will allow the security people to enforce security despite a line of business not wanting to 'implement" a secure solution. People are still building new applications and workflows that use telnet and refuse to use SSH or any secure other secure methods such as telnet over SSL.
How would having yet another thing that our government would bolox up, be a "good thing" for *US*??? Tell me how???? Imposing more regulations, controls and governances -- which don't work -- add nothing but more headaches and TONS more paperwork that *YOU* will have to fill out!!! Think you fill out alot of formed requests right now? Wait. If you impose sanctions for having government control of business, (1) corporations will baulk at the whole idea, (2) if there's a will, there's a way, and both corporations -- and hackers -- will find ways of circumventing everything (which they already do -- look at HIPAA and SOX; only a small percentage of healthcare providers actually give a damn about HIPAA -- most of them, DON'T), and (3) impose an authoritarian control over people, which again, will mean that there will be uprisings, etc. If you want to control the masses, you MUST convince them that they *want* to be controlled, that they *need* to be controlled, etc. Rules of engagement for American Dictatorship 101. OK, let ms ask you a few more questions...does security work? Heck, does auditing work? I've been in a heated debate now for well over a year about *how* IT auditing should work. For one thing, just casually observing it, it doesn't. For one thing you've got non-technical people making technical observations based on a set of criteria established by some other party elsewhere. How is that "auditing" (per se)? I do this because there are a few people out there who are vehemently opposed to the so-called audits conducted by the Big 4 these days. They all run the same sets of Open Source tools and scripts, shlopp the company's name, some bits and pieces of data into a 500-600 page template, and VOILA! -- instant IT audit assessment of your company!!! ("That'll be $150,000 for your assessment, please.") Nevermind the remediation aspect of it where they bring in busloads of people who will do *nothing*, but sit at meetings, drinks lots of *your* coffee and tell you that you're unsecure. No resolution, just alot of fluff. If you ask specific questions to the auditors, you get blanks stares, similar to that of a deer in headlights look. In the same sense, you've got yer corporate Gestapo (er, um...I mean "security folks") who come up the ranks of a rent-a-cop security company, or just recently passed their blah-blah-blah certification -- no degree, no long-term experience -- now telling you that YOU MUST, or YOU SHOULD -- do this, that and something else. Are you *really* sure that to want to give this to an individual, or group of individuals, who have absolutely no idea on what "security" is? Better yet...let's use this analogy... You own a company that processes toxic waste from a manufacturing plant to a "waste processing center" (which in this case, is an open pit, say, someplace out in Nevada). You're company has hired a trucking company to haul this stuff, upon which any contact of any flesh (animal, plant, or human), literally *melts* instantly. The trucking company won the RFP contact from your company because they were the lowest bid in the contract process (typical of both corporations and government...it's the "How Low Can You Go" game), to hire a trucking company with a long history of traffic violations, hiring foreign nationals from other countries (who speak very little English, and barely understand the traffic signs) and have been given a 3-8 hour course of how to drive a semi-tractor trailer. Now... Putting it into *that* context, would you want to be the one who's responsible for that company that just hired that waste hauler? And, of course, it's been mandated -- by law -- that you must use a certified waste hauler, of which, these people are licensed and certified -- barely -- but still legal. The same would hold true of imposing hiring an outside security company, which -- more than likely -- would be an "American" company, with call centers elsewhere in the world, along with their "technicians", who are completely oppose whatever timezone you are in (if it's daytime for you, it's nighttime for them). The only "Americans" you'd see are the marketing and sales reps that want to you sign a contract for monitoring your network from a foreign country. Of course, there's also the "incident management" aspect of it in terms of the SLA (that's "Service Level Agreements"), stipulating the amount of work that <X> needs to perform if <Y> happens, only to have them tell you that your contract doesn't stipulate that level of support, and that it would cost an additional $500,000 to get it. Your corporate executives could *swear* that they read all of the fine print, and now suddenly have a vacation to take in Haiti with their (er) "family". Interesting note though...we have 5 or 6 times more security today now than we did in 1998 and 1999. Yet... we have nore intrusion "incidents" today than ever. Yet, we're more "secure". Would imposing more regulation actually *fix* the problem? I'd say 'no'... "Security" is a matter of perception. If the companies don't see it as an issue, it (quite simply) is *not* an issue.
Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/From: "Sadler, Connie" <Connie_Sadler () brown edu> Date: Wed, 10 May 2006 13:01:06 -0400 To: <email () securityabsurdity com>, <security-basics () securityfocus com> Conversation: Article: "Security Absurdity: The Complete, Unquestionable,AndTotal Failure of Information Security." Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,AndTotal Failure of Information Security." I think there is a *lot* more to this, but don't have the time to fully respond. Good things to think about - yes! But InfoSec has never had the authority to do what's best. Ideas are floated and quickly rejected, and the "balance" we all try to provide is as much as many of us can "push" out against a very resistant culture. Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, Brown University Box 1885, Providence, RI 02912 Office: 401-863-7266 -----Original Message----- From: email () securityabsurdity com [mailto:email () securityabsurdity com] Sent: Wednesday, May 10, 2006 12:54 AM To: security-basics () securityfocus com Subject: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. A long-overdue wake up call for the information security community. Article: http://www.securityabsurdity.com/failure.php
Current thread:
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 12)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 17)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Stephen John Smoogen (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 23)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Angela and Donald (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 23)