RE: The Future of Security

[David LeBlanc <dleblanc () mindspring com>]

At 09:14 PM 12/1/99 -0500, Randy Witlicki wrote:
>  Gary wrote:
> > ..<snip>...
> > Now before anyone lights the flame throwers, I think it fair to say that
> > there has been a lot of poor quality work done in the past, and the
> > complaints come from everywhere you look.  It is not focused on one industry
> > segment, or about one firm doing the dirty deed etc.  The problem is that
> > when mediocre work is performed at the fortune 500 level, the trickle down
> > effect is that we all get a black eye.  So that is why I think that the
> > market will force so called experts to do a better job.
> > ...<snip>...

>  I'm interested here about where you say "complaints come from everywhere
> you look."
>  From "inside" (e.g: this mailing list, the Usenix Security conference,
> etc. - where the techies are found) - the perspective is that the "poor
> quality" comes from things like the InfoSec division of a brand name big
> accounting firm sending out an intern with a laptop loaded with ISS (or
> some other security scanner) to do an audit of a client.  The network
> and system administrators at the client see this and are chuckling
> over their coffee or Mt. Dews about the yoo-yoo sent out to do the audit.

The problem I see is the even the web-behind-the-ears intern armed with
only a commercial scanner can find enough holes to take over most
operational networks, especially from the inside.  Something the commercial
scanners are no help at all with is how to go get 20,000 problem hosts
actually FIXED.

> This is the *stereotype* of poor quality from the techie viewpoint.
>  Do you think management - whose eyes glaze over when the techies walk
> into the room - also think there is rampant poor quality in the Computer
> Security racket ?  What drives their perceptions ?

I think there are a number of problems - 

Scanners and IDS are tools that are still in their infancy.  They are
ridiculously stupid in some ways in their approach to a network.  That's
with bugs and checks that don't work well notwithstanding. IDS is just a
very difficult technical problem.  So we're relying on the equivalent of a
Model T to do our jobs, and if all your tools are home-grown, now we're
talking hand-crafted.

We also make it really hard for end-users and admins to actually implement
security - our (everyone - my employer, and every other OS and app vendor)
whole approach to this seems very rudimentary to me.  I think there will be
a lot of work done to make security something that non-propeller heads can
use.

In terms of poor quality for the people doing security work, you've got all
sorts of issues - there's very high demand for people, so lots of people
who aren't well-qualified end up working in the area.  Then we're talking
about an entire field in its infancy, so there aren't any schools where you
can learn network security in a formal manner - there is no equivalent in
our area to a Harvard MBA, or for that matter even an ASCE certified master
automobile tech.  I'd venture that nearly everyone here has had zero formal
training in network security.  Perhaps a class on Cisco routers, or maybe a
firewall class here and there, but most of what we know almost certainly
comes from the school of hard knocks.  So if nearly everyone is lacking any
formal credentials, how is a user of our services to determine whether
we're competent?


David LeBlanc
dleblanc () mindspring com