Firewall Wizards mailing list archives
RE: The Future of Security
From: David LeBlanc <dleblanc () mindspring com>
Date: Fri, 03 Dec 1999 10:45:41 -0800
At 09:14 PM 12/1/99 -0500, Randy Witlicki wrote:
Gary wrote:..<snip>... Now before anyone lights the flame throwers, I think it fair to say that there has been a lot of poor quality work done in the past, and the complaints come from everywhere you look. It is not focused on one industry segment, or about one firm doing the dirty deed etc. The problem is that when mediocre work is performed at the fortune 500 level, the trickle down effect is that we all get a black eye. So that is why I think that the market will force so called experts to do a better job. ...<snip>...
I'm interested here about where you say "complaints come from everywhere you look." From "inside" (e.g: this mailing list, the Usenix Security conference, etc. - where the techies are found) - the perspective is that the "poor quality" comes from things like the InfoSec division of a brand name big accounting firm sending out an intern with a laptop loaded with ISS (or some other security scanner) to do an audit of a client. The network and system administrators at the client see this and are chuckling over their coffee or Mt. Dews about the yoo-yoo sent out to do the audit.
The problem I see is the even the web-behind-the-ears intern armed with only a commercial scanner can find enough holes to take over most operational networks, especially from the inside. Something the commercial scanners are no help at all with is how to go get 20,000 problem hosts actually FIXED.
This is the *stereotype* of poor quality from the techie viewpoint. Do you think management - whose eyes glaze over when the techies walk into the room - also think there is rampant poor quality in the Computer Security racket ? What drives their perceptions ?
I think there are a number of problems - Scanners and IDS are tools that are still in their infancy. They are ridiculously stupid in some ways in their approach to a network. That's with bugs and checks that don't work well notwithstanding. IDS is just a very difficult technical problem. So we're relying on the equivalent of a Model T to do our jobs, and if all your tools are home-grown, now we're talking hand-crafted. We also make it really hard for end-users and admins to actually implement security - our (everyone - my employer, and every other OS and app vendor) whole approach to this seems very rudimentary to me. I think there will be a lot of work done to make security something that non-propeller heads can use. In terms of poor quality for the people doing security work, you've got all sorts of issues - there's very high demand for people, so lots of people who aren't well-qualified end up working in the area. Then we're talking about an entire field in its infancy, so there aren't any schools where you can learn network security in a formal manner - there is no equivalent in our area to a Harvard MBA, or for that matter even an ASCE certified master automobile tech. I'd venture that nearly everyone here has had zero formal training in network security. Perhaps a class on Cisco routers, or maybe a firewall class here and there, but most of what we know almost certainly comes from the school of hard knocks. So if nearly everyone is lacking any formal credentials, how is a user of our services to determine whether we're competent? David LeBlanc dleblanc () mindspring com
Current thread:
- Re: The Future of Security Damir Rajnovic (Dec 01)
- Re: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Don Helms (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- Re: The Future of Security Don Helms (Dec 03)
- <Possible follow-ups>
- RE: The Future of Security Crumrine, Gary L (Dec 01)
- RE: The Future of Security Randy Witlicki (Dec 02)
- RE: The Future of Security Eric Budke (Dec 03)
- RE: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Rick Smith (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Scott, Richard (Dec 03)
- RE: The Future of Security Scott, Richard (Dec 05)
- RE: The Future of Security R. DuFresne (Dec 06)
- Re: The Future of Security ark (Dec 06)
- RE: The Future of Security Rick Smith (Dec 06)
- Re: The Future of Security Randy Witlicki (Dec 06)
- Re: The Future of Security David LeBlanc (Dec 06)
- Re: The Future of Security Damir Rajnovic (Dec 07)
- Re: The Future of Security David LeBlanc (Dec 06)
(Thread continues...)
- Re: The Future of Security Randy Witlicki (Dec 02)