RE: The Future of Security

[Eric Budke <budke () budke com>]

At 09:14 PM 12/1/99 , Randy Witlicki wrote:

>   I'm interested here about where you say "complaints come from everywhere
> you look."
>   From "inside" (e.g: this mailing list, the Usenix Security conference,
> etc. - where the techies are found) - the perspective is that the "poor
> quality" comes from things like the InfoSec division of a brand name big
> accounting firm sending out an intern with a laptop loaded with ISS (or
> some other security scanner) to do an audit of a client.  The network
> and system administrators at the client see this and are chuckling
> over their coffee or Mt. Dews about the yoo-yoo sent out to do the audit.
> This is the *stereotype* of poor quality from the techie viewpoint.

Well, as a semi-current techie who's currently at one of the accounting 
firms (not as an intern) I haven't run into a lot of clients who would 
appear to be active readers of this list or others like it. I'm not sure 
how many other people use their personal email accounts on lists like this, 
but if you look at many of the "from" addresses, there isn't much fortune 
500 penetration. I suppose for the list it is a good thing (quality is up). 
But regardless of what may seem like the outrageous rates we charge, there 
are a lot of sites that have trouble keeping some fairly static systems up, 
let alone closing off r-services.

Not that we enjoy sitting there running the scanner every now and then, but 
why, if the administrator community (as a whole) is so good, do the 
scanners generate so many findings when they are run on a network? A 
commercial scanner is a commercial scanner. They ARE available outside of 
the consulting firms. Many of them even give partial how-to's in fixing the 
problems...yet there are still a bunch of findings.

I'm sure that there are all sorts of excuses for the current state of many 
of the problems. But the blame is easy to place all over the place. Vendors 
and administrator/users have tons of problems with incompatibility. Very 
few solutions scale well, and it is rare that it is easy. Users blame 
vendors, vendors blame users.

If there were an overabundance of people doing good quality work, we'd have 
to find a different profession. Remember that what may seem easy to you, is 
often black magic to most others. Try going back and explaining to a 
grandmother over the phone, the concept of a reply button in an email 
program. I think she's looking for the key on the keyboard (bringing images 
of Homer searching for the any-key).

>   Do you think management - whose eyes glaze over when the techies walk
> into the room - also think there is rampant poor quality in the Computer
> Security racket ?  What drives their perceptions ?

I'm not sure many of them even think there is a problem with computer 
security. But for those that do, it isn't hard to point to the press. 
Between Forbes, Time, Newsweek, and your  daily paper, there has been an 
ever increasing number of articles (assuming they can read).

>   Yours in asking for hundreds of dollars per hour without blinking,
>
>   - Randy
>  -

--
PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt