Re: concerning ~el8 / project mayhem

[Tina Bird <tbird () precision-guesswork com>]

On Mon, 19 Aug 2002, Paul Robertson wrote:

> That's part of it, but the other point is that very many of the
> vulnerabilities discovered each year aren't actively exploited, and
> there's a driver for "find and fix billed by the hour" folks to say patch
> 1000 *vulnerabilities* instead of upgrading one *product*.  Anyone can
> upgrade say IIS- so companies who spend money with security consultants
> don't necessarily want to see them fixing things their staffs should so
> obviously do rather than something that's not a normal part of their
> admin's duty, or that's so obviously "too much work."

This has become a major credibility issue for the security industry.
We've spent years of time and energy finding vulnerable code, creating
patches and workarounds for the problems, and in some if not many cases
really reducing the chances that a particular network will be compromised.

But put your (well loved) CFO or other high level executive hat on.  For
the vast majority of these individuals, even during a high-impact event
like Nimda or SirCam or Melissa, >>their own machines and networks<< were
relatively unimpacted.  This is clearly an over-simplification, and
neglects the vast amounts of time and energy it took to repair the damage
from those attacks.  But Ms. CFO-of-Fortune-500-company was >>mostly<<
able to read her email and get to the Web sites she cared about during those
attacks.

So her reaction to requests for more money to spend on security is "We
don't need it -- things work well enough."

This is the direct consequence of what Paul said -- the majority of
vulnerabilities aren't ever exploited, and those that are are not visible
to the majority of financial decision-makers.

As an industry -- or a community of highly intelligent technologists with
strong opinions about security -- we've followed a really bad path.  So
the real questions are:

1) Putting my own and other folks' personal biases aside:  >is< network
security really a compelling expense for a financially-strapped
organization?  Clearly the standard dollars-and-sense risk analysis isn't
a compelling argument, cos' it's been made for years, and the decision
makers are literally not buying it.

2) How can we present what might boil down to a personal bias (or to quote
Donald Rumsfeld, "These aren't so much requirements as appetites
or desires") in a way which makes the message easier for people whose
machines work "well enough" to hear?

I suppose we could try to assure that more vulnerabilities >get<
exploited, but that leads us right back into that "black hat/white hat"
snarl ;-)

tbird

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards