Re: tunnel vs open a hole

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

OK, several people have lamented on the state of coding, especially related
to the security industry.  Lots of good comments have passed over my T1 but
I think a simple point has been missed.  Where's the pain?  

MS seems to be the example of the week so I'll continue that but this
applies to just about any vendor.  A basic assumption in this email is:
better code, better testing, implies larger cost.

MS IIS has bugs, bugs are reported in the industry news, bugs get fixed.
The issue is the pain of the fixes /break-ins vs. the
retraining/retooling/"better tool" costs weighted by the chance of an
incident, all tempered by the politics.

Ahhh, what politics you say, politics in a technical environment, tsk, tsk
(yeah, right).  Assume I'm a Microsoft oriented admin and I do NOT want to
learn Unix (or the other way around).  First line of defense when
questioned (IF questioned) by management, we stay on top of the patches and
update regularly.  Second line of defense, hey, the Unix side has bugs too,
see this list from CERT.  Third line of defense, Unix admins cost more and
the boxes are harder to admin because MS has a better GUI.  (Hey, no one
said politics was a clean game.)  So, one issue is political statements as
technical gospel from the 'techies'.  Hell the typical CEO understands the
MBAs better than he/she understands the IT guys.

Other issues include:  
How many CEOs have lost their job due to an Internet break-in?

How many companies have gone out of business due to a bad security tool
choice (or any other software bugs)?  

How well known is the reason for their demise in their community (not ours)?

What number would the typical CEO choose if asked: "How many Internet break
in attempts occur at your company every year?"

How many techies have said, "we need X or the sky will fall" yet the sun
came up in the morning?

How many break-in stats are publically available and what is their
confidence level?

How many break-in COST stats are publically available and what is their
confidence level?

What is the perception of the failure?  Credit cards where stolen from a CC
processing company, is the perception the firewall failed, the web server
failed, a human didn't patch, or the company had a screwed CC storage policy?

So basically, WHERE IS THE PAIN?  Better coded/tested toys cost more money
to bring to market, probably implies more dollars at retail.  On-going real
daily security at the interface level costs dollars every year for
training, bodies, and tools, where's the CEO level justification?  

Hey, we might get broken into, and the cost of clean-up that no one
believes might be high.  Of course, I can't tell you what the chance of a
break-in is because I have no REAL data.  Nor can I give you a good delta
on the chance of approach 1, vs. approach 2 because I have no data.  But I
CAN tell you, or you can read in the news, that "Spiffy tool X" is the
market leader.

Sure I CAN say that IIS has had more bugs reported than "Competitor A".  I
probably can cost estimate the expense of a switch to the "Competitor A"
product.  I CAN'T say that by spending those X dollars I've decreased the
chance of a break-in by 10% using any HARD data.  Oh, and even if I could,
I can't say what the original chance of a break-in at this company is
BEFORE I reduced it by 10%.  Did we go from 40% to 36% or from 1% to .9%.

To the average CEO/COO/CTO the cost of security vs. the value is STILL
black magic.  Some of us have been around the block, some people work in
the industry, we have a good feel for 'worth', but the average guy doesn't
necessarily have either event in his favor.  

With a clue you can make an educated coin flip type choice when you first
buy.  Product A's rep sucks, Vendor B isn't thought well of in the
industry, Vendor C is about to go under, Product Q has no milage yet and is
an unknown.  

With connections or other info you can do even better.  Hey, I've swapped
email with the lead guy at Vendor X and I know he has a clue.

But sometimes post commitment gets difficult to judge.  I already own N
copies of firewall software 'Q', I can replace them with appliance X at
only N thousand dollars each, plus training.  Is that REALLY a good deal?
How much have I really reduced my risk?  How much have I reduced/increased
my operational costs?  Is it worth it, especially if I've never been broken
into before?

Should I fix/change the firewall, the web server, the staff training
policy, the data retention, where do I apply my $$$ to fix 'the problem',
what does the industry data tell me?  (i.e. is it software, humans, or
process, will changing the software really be worth it?)

So SHOW ME THE DATA, Hell find a way to SHOW EVERYONE THE DATA, make it
clear data and MAYBE we can all be close to the same page on cost vs.
security, vs. software quality.  Some break-ins are attributed to a
firewall failure, some to a web server bug, many to a failure to patch,
many to configuration issues, some to busted process/stupid human tricks.
Right now, given industry news coverage (the main data source for many
executives), most execs would bet on human/process issues as the biggest
threat, not software reliability.  My guess is 'the pain' CEOs see is the
human, NOT the software reliability.  Companys spend money to fix problems,
i.e., reduce pain.  Better software is good at initial buy in, better
software as a switch implies retraining the 'weak link' and accepting the
pain curve again, justification is more difficult.

Ah well, I was due for a rant, I apologize for my targeting skills :-).

Oh and before the counter rants start.  I'm not for or against MS products,
I like stuff that works regardless of vendor, they were an example only.
I'm a CTO, in theory that's the O with a technical clue.  I DO understand
that more reliable software or switches to more idiot proof user interfaces
can help reduce breakins, I'm one of the ones that's been around the block.
 I'm not stating that switching is not a good thing, I'm saying that CEOs
don't like to toss out investments and training and that some of the
'better' is subjective and hard to quantify in real dollars while the
current investment is easy to quantify.  Fortunately my CEO thinks I have a
clue and is usually willing to listen to reason :-).  OK, fire away.



-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards