Firewall Wizards mailing list archives
Re: Going meta (was RE: Ok, so now we have a firewall...)
From: "Dave Piscitello" <dave () corecom com>
Date: Thu, 02 Jun 2005 17:35:52 -0400
If you want to minimize compromise, increase accountability. Anecdotal evidence from companies I've observed doing a good job securing networks and systems leads me to conclude that improving security is a lot like raising children, esp. teens (I have two, lead youth mission trips but would not claim to be an authority merely an observer of many situations with positive and negative outcomes). Given broad choices, little direction, and no consequences, teens are more likely to choose poorly. Sounds like a "that which is not prohibited is permitted" policy, doesn't it? But the key that I think we continue to overlook is that even the practice most list-readers here believe is better - that which is not expressly permitted is prohibited - is incomplete. Where's the accountability and consequence in this policy? Why don't we start adding quantitative consequences when we murmur our favorite security mantra? "that which is not expressly permitted is prohibited AND 1) "the consequence of intentionally doing what is prohibited is termination of employment" 2) "the consequence of repeatedly unintentionally doing what is prohibited is also termination (you are too {stupid | impulsive | slothful } to be employed here)" 3) "..." (Marcus has been quite creative on occasion regarding consequences so he can fill in 3) and beyond). I'm not being whimsical here. We live in a society where 70% of people willingly revealed their usernames and passwords for Cadbury bars. If exposing your organization to attack from an authorized account is only worth a few bucks. If folks worried that they might never taste chocolate again, well, maybe security might improve Google "Low-Tech Password Cracker: ChocolateApril 20, 2004") On 2 Jun 2005 at 13:36, Marcus J. Ranum wrote:
I am totally sympathetic to the plight of the security practitioner who isn't willing to put his job on the line by telling the CTO he's a moron. I completely understand why people feel they need to compromise. But I still think compromise is for sissies.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right? Mark Tinberg (Jun 01)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (Jun 01)
- <Possible follow-ups>
- RE: Ok, so now we have a firewall, we're safe, right? Bill McGee (bam) (Jun 01)
- Message not available
- Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Message not available
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)