Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Adam Shostack <adam () homeport org>
Date: Mon, 19 Aug 2002 15:51:48 -0400
On Mon, Aug 19, 2002 at 07:05:46PM +0000, Tina Bird wrote: | On Mon, 19 Aug 2002, Paul Robertson wrote: | | > That's part of it, but the other point is that very many of the | > vulnerabilities discovered each year aren't actively exploited, and | > there's a driver for "find and fix billed by the hour" folks to say patch | > 1000 *vulnerabilities* instead of upgrading one *product*. Anyone can | > upgrade say IIS- so companies who spend money with security consultants | > don't necessarily want to see them fixing things their staffs should so | > obviously do rather than something that's not a normal part of their | > admin's duty, or that's so obviously "too much work." | > | | This has become a major credibility issue for the security industry. | We've spent years of time and energy finding vulnerable code, creating | patches and workarounds for the problems, and in some if not many cases | really reducing the chances that a particular network will be compromised. | | But put your (well loved) CFO or other high level executive hat on. For | the vast majority of these individuals, even during a high-impact event | like Nimda or SirCam or Melissa, >>their own machines and networks<< were | relatively unimpacted. This is clearly an over-simplification, and | neglects the vast amounts of time and energy it took to repair the damage | from those attacks. But Ms. CFO-of-Fortune-500-company was >>mostly<< | able to read her email and get to the Web sites she cared about during those | attacks. | 1) Putting my own and other folks' personal biases aside: >is< network | security really a compelling expense for a financially-strapped | organization? Clearly the standard dollars-and-sense risk analysis isn't | a compelling argument, cos' it's been made for years, and the decision | makers are literally not buying it. Thats a well framed question, but let me twist it a little: How much network security is really compelling? We currently can't measure information security; the best we can do, and I use the term with irony, is the common criteria, which say I have this assurance level that I'm this likely screwed. As Peter Drucker points out, if you can't measure something, you can't tell if you're effectively improving it. So the CFO looks at security and says "This is a black hole." Rationally, you want to minimize costs, because if you don't, you just get a never ending stream of spending. (Its similar to software in that regard; you can always fix a few more bugs, spend a little more, get a little more quality, and never ship.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Message not available
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 18)
- RE: concerning ~el8 / project mayhem Bill Royds (Aug 18)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 18)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Tina Bird (Aug 19)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)