Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)

[George Capehart <capegeo () opengroup org>]

On Sunday 28 September 2003 03:39 pm, Curt Purdy wrote:
> When we get this far off-topic, how about putting up a new subject
> line with a was:

<Lurker crawls out from under rock>

I've followed this thread and, especially the recent exchange among 
Michael Zalewski, Frank Knobbe and Florian Weimer.  My initial response 
was to respond to specifics, like, for instance, the first paragraph 
below.  Was going to raise my hand and say:  But what about the DFS?  
As the thread grew, I realized that it is really about my pet peeve:  
The absence of a *real* information security *program* that addresses 
defense-in-depth, security architectures, etc. 
_at_the_enterprise_level_.  I have been in only *one* organization that 
actually had an enterprise security architecture and which built 
systems around it.  But that was only one of many with which I am 
familiar.

Paul Schmel's lament was that "we as a 'security community' have [not] 
even begun to tackle this problem."  I would submit that, as a 
community, we *have*. All one has to do is to look at the ISO/IEC 
standards, the ANSI standards, the NIST Special Publications, the 
Common Criteria, DITSCAP, COBIT, etc., etc., etc. the WS* standards 
coming out of the W3C and OASIS, the IATFF, etc. to see that we 
understand the problem and have documented almost ad nauseum how to 
deal with it.  The military and intelligence community have been 
practicing "good security" for years.  Even the government is beginning 
to catch on.  IMHO, the problem is *not* with the security community, 
but with the "governance community."

<rant>
The problem is that there is no accountability at the top for allowing 
systems to be run in an insecure manner.  It seems that neither Boards 
of Directors nor C-level corporate officers understand that, these 
days, a significant chunk of the risk that they need to manage arises 
out of their use of IT systems.  Either that, or there is no impetus to 
*really* manage risk at any level.  This is not rocket science.  It is 
risk management.  Risk is not being managed top-down in any structured 
manner.  It is being managed bottom up by a few individuals who care.  
Boards of directors do not ask the tough questions.  For many, 
Information Security is not on the list of things to care about at all.  
C-level officers don't care about it.  If they did, organizations would 
have robust Information Security programs, there would be clear lines 
of accountability and responsibility for the management of risk 
incurred by the operation of IT systems and the "'soft and chewy' 
problem" would be addressed.  
</rant>

My $0.02.

George Capehart

<snip>

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul
> Schmehl Sent: Sunday, September 28, 2003 12:20 PM
> To: Full Disclosure
> Subject: [inbox] Re: [Full-disclosure] CyberInsecurity: The cost of
> Monopoly
>
>
> --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop
>
> <kdebisschop () alert infoplease com> wrote:
> > Crunchy shell, soft-chewy insides?
>
> I don't think "we" as a "security community" have even begun to
> tackle this problem.  We talk about it, but who is *really* doing it?
>  For example, if you want to network machines you *have* to use
> SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. 
> Who is really looking at how to be secure while still allowing
> internal machines to talk to each other? Certainly none of the above
> protocols qualify as secure.
>
> When a machine is problematic, for whatever reason, the usual
> reaction is "block it at the firewall".  But that doesn't protect
> that machine from *other* internal machines.  It only protects it
> from the outside.  Oh, you might have a firewall that cordons off
> accounting from the rest of the enterprise, but *inside* accounting,
> you still have the "soft, chewy" problem.
>
> I haven't really seen anything that addresses this problem, and I'm
> not aware of anyone who is working on solving it.  For the most part
> security thinking is still in the middle ages - build a castle with
> moats and outer defensive rings, and staggered entrances to make it
> hard for the enemy to get it.  Once he gets in, what does current
> security thinking offer?  Not much.
>
> What we need is a paradigm shift in thinking.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642          http://pgp.mit.edu
Key fingerprint:  BE7A 9A4A 6A8F 363A BAC5  4866 631B B2F6 63F0 F642

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea.  -- RFC 1925

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html