Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Tina Bird <tbird () precision-guesswork com>
Date: Mon, 19 Aug 2002 19:05:46 +0000 (GMT)
On Mon, 19 Aug 2002, Paul Robertson wrote:
That's part of it, but the other point is that very many of the vulnerabilities discovered each year aren't actively exploited, and there's a driver for "find and fix billed by the hour" folks to say patch 1000 *vulnerabilities* instead of upgrading one *product*. Anyone can upgrade say IIS- so companies who spend money with security consultants don't necessarily want to see them fixing things their staffs should so obviously do rather than something that's not a normal part of their admin's duty, or that's so obviously "too much work."
This has become a major credibility issue for the security industry. We've spent years of time and energy finding vulnerable code, creating patches and workarounds for the problems, and in some if not many cases really reducing the chances that a particular network will be compromised. But put your (well loved) CFO or other high level executive hat on. For the vast majority of these individuals, even during a high-impact event like Nimda or SirCam or Melissa, >>their own machines and networks<< were relatively unimpacted. This is clearly an over-simplification, and neglects the vast amounts of time and energy it took to repair the damage from those attacks. But Ms. CFO-of-Fortune-500-company was >>mostly<< able to read her email and get to the Web sites she cared about during those attacks. So her reaction to requests for more money to spend on security is "We don't need it -- things work well enough." This is the direct consequence of what Paul said -- the majority of vulnerabilities aren't ever exploited, and those that are are not visible to the majority of financial decision-makers. As an industry -- or a community of highly intelligent technologists with strong opinions about security -- we've followed a really bad path. So the real questions are: 1) Putting my own and other folks' personal biases aside: >is< network security really a compelling expense for a financially-strapped organization? Clearly the standard dollars-and-sense risk analysis isn't a compelling argument, cos' it's been made for years, and the decision makers are literally not buying it. 2) How can we present what might boil down to a personal bias (or to quote Donald Rumsfeld, "These aren't so much requirements as appetites or desires") in a way which makes the message easier for people whose machines work "well enough" to hear? I suppose we could try to assure that more vulnerabilities >get< exploited, but that leads us right back into that "black hat/white hat" snarl ;-) tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 23)
- Message not available
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 18)
- RE: concerning ~el8 / project mayhem Bill Royds (Aug 18)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 18)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Tina Bird (Aug 19)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)