Re: Worms, Air Gaps and Responsibility

["Marcus J. Ranum" <mjr () ranum com>]

Mordechai T. Abzug wrote:
> I wonder how many "isolated networks" allow laptops to leave the
> network and come back with infections? 

I know you're putting "Isolated networks" in quotations because
you don't believe they actually *ARE* isolated networks.

You're exactly right. I talked to a guy at a conference once who
was telling me that they had problems on some high-tech
naval vessel where people were plugging laptops into the
ship's network to try to get their Email, etc, and causing
IP address problems. I, of course, assumed he was kidding -
nobody would be stupid enough to build a mission-critical
backbone for a high-tech naval vessel that had open ports
where people could just walk up to them and plug in, right?
That stuff would all be behind locked wall-plates and all
the switches behind them would have those ports turned
off until an administrator was told to enable it for a specific
reason, right? Right?   I'm sure that, since it was the USENIX
reception and we were all drinking beers, the guy was
just trying to see if he could make my head explode...

But seriously, the idea of an "isolated network" or a
"production network" is that you get it right and then
you don't F with it. By that definition, Carson's (and all
the other financial networks) which are in a constant state
of eing Fed with - can't be production networks. What
they're doing instead is making a business decision that
FLEXIBILITY is MORE VALUABLE than PREDICTABILITY
and they are willing to pay the price in terms of having
lots of highly-paid experts constantly Fing with their
machines. I spent my share of time consulting for the
stock traders and markets and I know that's how it works. ;)

As I said in an earlier posting, Bill Murray's favorite observation
is "connectivity trumps security every time" -- I think he's
right. Another factor is that the cost of security scales with
the rate of change in the system. The more mobile users
you have, the greater the cost. The more you update or
change or patch or add features, the greater the cost. And
this is above and beyond the cost of system administration.
So what happens is organizations go "wow, that's expensive!
let's just pay the cost to upgrade/patch/add features and F
all that security nonsense."  What Carson is saying in
his observations about  the turbulent state of financial
computing is merely that they don't value security enough
to make it a primary consideration in their designs.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards