Re: Improving the Security of Windows Platforms

[Professor George Davida <davida () CSD UWM EDU>]

"Computer Operators", sometimes called "Sysadmins", need to know
a lot more than what a program is. That is somewhat like
saying "medical professionals" need to know something
about human anatomy! Well they have very specific
degree requirements: MD, RN,... not some "communication"
graduate who read books on biology and needs to know
what an organ is....
They really need to be
computer science graduates, if they are to perform
the tasks of securing systems, with a good background
in computer security fundamentals. Unfortunately
that is not going to fly with the industries' penchant
for cheap labor. Large corporations (such as a financial
securities corporations I know about)
hire English majors who learned
to configure their windows, unix or whatever on
their own, as security officers.

This won't change until shareholders (and consumers)
file suit for losses against these corporations,
losses due to decreased productivity, loss of data or
outright theft of IP.

At my university, the staff have done nothing recently
but go around cleaning machines and installing yet
another copy of Norton.  There is no real work
of improving the software environment to suppport
education/research needs, just fire fighting.
I have not computed the cost of all these well
paid folks in this effort, but I would guess it
is very high.

It is amazing that people sue for a hot cup
of coffee spilling on an older lady, but don't for
loss of billions from incompetent management
or badly designed software/hardware.
There needs to be lawsuits agains Microsoft
and other hardware/software vendors for these
losses, and soon.

George Davida


> From owner-security () LISTSERV EDUCAUSE EDU Sun Mar 21 18:37:10 2004
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2)
>            Gecko/20030208 Netscape/7.02
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> References: <BF80E749A362F945AB759AEF88B503C80329B2CB () message educause edu>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer-Encoding: 7bit
> Date:         Sun, 21 Mar 2004 19:32:10 -0500
> Reply-To: The EDUCAUSE Security Discussion Group Listserv              <SECURITY () LISTSERV EDUCAUSE EDU>
> Sender: The EDUCAUSE Security Discussion Group Listserv              <SECURITY () LISTSERV EDUCAUSE EDU>
> From: Gary Flynn <flynngn () JMU EDU>
> Subject: Re: [SECURITY] Improving the Security of Windows Platforms
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Precedence: list
> X-Sending-IP: 198.59.61.25
>
> > 6. USER EDUCATION AND SECURITY AWARENESS
> >
> > 6.1 Work with Higher Ed to create effective educational materials to
> > increase (a) understanding of what a computer is, and (b) security and
> > "good driving" principles.  Written, streaming video, CD-ROM, and DVD
> > versions should be available.  A goal is "technology literacy" as well
> > as doing the right thing with regard to security and configuration.
> > The resulting material should be freely reproducible.
>
> Most importantly, computer operators need to understand the concept of a
> program and what it is capable of doing (anything). I know it sounds simple
> but there are a lot of people who don't understand. Then follow that up with
> where programs can be found and what is involved in trusting them. Without a
> strong understanding of that concept, an operator is reduced to a mindless
> button pusher and no amount of lists of "safe or unsafe behavior" will be
> sufficient as other things change too rapidly. Other important concepts
> include:
>
> client
> server
> use of privileged vs non-privileged accounts
>
> Then, the threat environment must be explained in great detail and with
> examples of incidents and repurcussions.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.