Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

[Bob Radvanovsky <rsradvan () unixworks net>]

Read below for my 'soapbox' version...  (you have been warned)

-r

----- Original Message -----
From: Jason Muskat [mailto:Jason () TechDude Ca]
To: "Sadler, Connie" [mailto:Connie_Sadler () brown edu], email () securityabsurdity com, security-basics () 
securityfocus com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."


> Hello,
>
> Most of the time, security, any security, is about bringing that feel good
> feeling to the customer; having somebody to blame when something goes bad is
> a plus as well.
>
> Real security is very rare as it costs a lot. Most people think they are
> secure because of a policy, or something just as silly like a sign on the
> wall.

You also forget that big business takes an attitude that they will sick a swarm of lawyers after your butt if you do 
anything to harm their networks and systems.  Case in point is the recently posted article about someone who found a 
flaw within a system environment, broke in, logged everything, told them about it, gave them the necessary information, 
and asked for *nothing* in return, only to be arrested for digital trespassing.  Corporations feel that they control 
everything, and so, therefore, in the eyes of their attorneys, anything you do on their networks becomes their 
property.  Their policies are reflected of these principles and cultures (meaning, way of thinking and how they 'do' 
things).  Yes, the securification process costs money, and yes, it is a never-ending cycle (contrary to some belief, it 
is a 'circular' cycle, rather than a straight line); however, executive management want immediate resolution.  They 
lack the conceptualization that, what is secure now, *might be* unsecure a hour from now, a day from now, a week, a 
month...you get the picture, right?  And, executives are getting tired of the "Chicken Little Symdrome" of that the sky 
is falling, or the "Driver'd Ed Symdrome" of "*THIS*...COULD...HAPPEN...TO **YOU**!" with its cheesey sound effects 
from the days of 35-38mm film projectors (sound fading in and out, or the jittered sounds....ah, the days of bad films 
gone bad in the film projector days).  Go back to previous sentence: they want resolution -- NOW!!!

You have to look at the entire hollistic aspect of everything.  It's not just about a policy, or a placard on a wall.  
It's about the culture of the corporation, and how they view and feel about securing their environment.  If they take 
security seriously, the corporation appears to be too tightly controlled, some even going to the extreme of stating 
that its a dictatorship.  If they don't consider security as an issue, and take a $400 million general insurance policy 
out, then their attitude is the "swarm and kill" method of sicking their teams of lawyers after you if you digitally 
trespass or smear/discredit the name and reputation of the corporation.  Either way, you loose.

There's nothing silly about having a placard on a wall.  It indemnifies them against liability.  Remember: 
liability....bbbaaaaaaaadddd; money....ggggooooooooooddd.


> I think it is imperative that government set and regulate minimal real
> information security standards especially in sectors that provide essential
> services such as power, telecomm, and banking, and such. The regulations
> will allow the security people to enforce security despite a line of
> business not  wanting to 'implement" a secure solution. People are still
> building new applications and workflows that use telnet and refuse to use
> SSH or any secure other secure methods such as telnet over SSL.

How would having yet another thing that our government would bolox up, be a "good thing" for *US*???  Tell me how????  
Imposing more regulations, controls and governances -- which don't work -- add nothing but more headaches and TONS more 
paperwork that *YOU* will have to fill out!!!  Think you fill out alot of formed requests right now?  Wait.  If you 
impose sanctions for having government control of business, (1) corporations will baulk at the whole idea, (2) if 
there's a will, there's a way, and both corporations -- and hackers -- will find ways of circumventing everything 
(which they already do -- look at HIPAA and SOX; only a small percentage of healthcare providers actually give a damn 
about HIPAA -- most of them, DON'T), and (3) impose an authoritarian control over people, which again, will mean that 
there will be uprisings, etc.  If you want to control the masses, you MUST convince them that they *want* to be 
controlled, that they *need* to be controlled, etc.  Rules of engagement for American Dictatorship 101.

OK, let ms ask you a few more questions...does security work?  Heck, does auditing work?  I've been in a heated debate 
now for well over a year about *how* IT auditing should work.  For one thing, just casually observing it, it doesn't.  
For one thing you've got non-technical people making technical observations based on a set of criteria established by 
some other party elsewhere.  How is that "auditing" (per se)?  I do this because there are a few people out there who 
are vehemently opposed to the so-called audits conducted by the Big 4 these days.  They all run the same sets of Open 
Source tools and scripts, shlopp the company's name, some bits and pieces of data into a 500-600 page template, and 
VOILA! -- instant IT audit assessment of your company!!!  ("That'll be $150,000 for your assessment, please.")  
Nevermind the remediation aspect of it where they bring in busloads of people who will do *nothing*, but sit at 
meetings, drinks lots of *your* coffee and tell you that you're unsecure.  No resolution, just alot of fluff.  If you 
ask specific questions to the auditors, you get blanks stares, similar to that of a deer in headlights look.  In the 
same sense, you've got yer corporate Gestapo (er, um...I mean "security folks") who come up the ranks of a rent-a-cop 
security company, or just recently passed their blah-blah-blah certification -- no degree, no long-term experience -- 
now telling you that YOU MUST, or YOU SHOULD -- do this, that and something else.  Are you *really* sure that to want 
to give this to an individual, or group of individuals, who have absolutely no idea on what "security" is?

Better yet...let's use this analogy...

You own a company that processes toxic waste from a manufacturing plant to a "waste processing center" (which in this 
case, is an open pit, say, someplace out in Nevada).  You're company has hired a trucking company to haul this stuff, 
upon which any contact of any flesh (animal, plant, or human), literally *melts* instantly.  The trucking company won 
the RFP contact from your company because they were the lowest bid in the contract process (typical of both 
corporations and government...it's the "How Low Can You Go" game), to hire a trucking company with a long history of 
traffic violations, hiring foreign nationals from other countries (who speak very little English, and barely understand 
the traffic signs) and have been given a 3-8 hour course of how to drive a semi-tractor trailer.  Now...   Putting it 
into *that* context, would you want to be the one who's responsible for that company that just hired that waste hauler? 
 And, of course, it's been mandated -- by law -- that you must use a certified waste hauler, of which, these people are 
licensed and certified -- barely -- but still legal.

The same would hold true of imposing hiring an outside security company, which -- more than likely -- would be an 
"American" company, with call centers elsewhere in the world, along with their "technicians", who are completely oppose 
whatever timezone you are in (if it's daytime for you, it's nighttime for them).  The only "Americans" you'd see are 
the marketing and sales reps that want to you sign a contract for monitoring your network from a foreign country.  Of 
course, there's also the "incident management" aspect of it in terms of the SLA (that's "Service Level Agreements"), 
stipulating the amount of work that <X> needs to perform if <Y> happens, only to have them tell you that your contract 
doesn't stipulate that level of support, and that it would cost an additional $500,000 to get it.  Your corporate 
executives could *swear* that they read all of the fine print, and now suddenly have a vacation to take in Haiti with 
their (er) "family".

Interesting note though...we have 5 or 6 times more security today now than we did in 1998 and 1999.  Yet... we have 
nore intrusion "incidents" today than ever.  Yet, we're more "secure".  Would imposing more regulation actually *fix* 
the problem?  I'd say 'no'...

"Security" is a matter of perception.  If the companies don't see it as an issue, it (quite simply) is *not* an issue.

> Regards,
>
> -- 
> Jason Muskat  | GCUX - de VE3TSJ
> ____________________________
> TechDude
> e. Jason () TechDude Ca
> m. 416 .414 .9934
>
> http://TechDude.Ca/
>
>
> > From: "Sadler, Connie" <Connie_Sadler () brown edu>
> > Date: Wed, 10 May 2006 13:01:06 -0400
> > To: <email () securityabsurdity com>, <security-basics () securityfocus com>
> > Conversation: Article: "Security Absurdity: The Complete, Unquestionable,
> And
> > Total Failure of Information Security."
> > Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,
> And
> > Total Failure of Information Security."
> >
> >  
> > I think there is a *lot* more to this, but don't have the time to fully
> > respond. Good things to think about - yes! But InfoSec has never had the
> > authority to do what's best. Ideas are floated and quickly rejected, and
> > the "balance" we all try to provide is as much as many of us can "push"
> > out against a very resistant culture.
> >
> > Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> > Director, IT Security, Brown University
> > Box 1885, Providence, RI 02912
> > Office: 401-863-7266
> >
> >
> >
> > -----Original Message-----
> > From: email () securityabsurdity com [mailto:email () securityabsurdity com]
> > Sent: Wednesday, May 10, 2006 12:54 AM
> > To: security-basics () securityfocus com
> > Subject: Article: "Security Absurdity: The Complete, Unquestionable, And
> > Total Failure of Information Security."
> >
> >
> > Security Absurdity: The Complete, Unquestionable, And Total Failure of
> > Information Security.
> >
> >
> > A long-overdue wake up call for the information security community.
> >
> >
> > Article: http://www.securityabsurdity.com/failure.php