Re: concerning ~el8 / project mayhem

[Adam Shostack <adam () homeport org>]

On Mon, Aug 19, 2002 at 07:05:46PM +0000, Tina Bird wrote:
| On Mon, 19 Aug 2002, Paul Robertson wrote:
| 
| > That's part of it, but the other point is that very many of the
| > vulnerabilities discovered each year aren't actively exploited, and
| > there's a driver for "find and fix billed by the hour" folks to say patch
| > 1000 *vulnerabilities* instead of upgrading one *product*.  Anyone can
| > upgrade say IIS- so companies who spend money with security consultants
| > don't necessarily want to see them fixing things their staffs should so
| > obviously do rather than something that's not a normal part of their
| > admin's duty, or that's so obviously "too much work."
| >
| 
| This has become a major credibility issue for the security industry.
| We've spent years of time and energy finding vulnerable code, creating
| patches and workarounds for the problems, and in some if not many cases
| really reducing the chances that a particular network will be compromised.
| 
| But put your (well loved) CFO or other high level executive hat on.  For
| the vast majority of these individuals, even during a high-impact event
| like Nimda or SirCam or Melissa, >>their own machines and networks<< were
| relatively unimpacted.  This is clearly an over-simplification, and
| neglects the vast amounts of time and energy it took to repair the damage
| from those attacks.  But Ms. CFO-of-Fortune-500-company was >>mostly<<
| able to read her email and get to the Web sites she cared about during those
| attacks.

| 1) Putting my own and other folks' personal biases aside:  >is< network
| security really a compelling expense for a financially-strapped
| organization?  Clearly the standard dollars-and-sense risk analysis isn't
| a compelling argument, cos' it's been made for years, and the decision
| makers are literally not buying it.

Thats a well framed question, but let me twist it a little:

How much network security is really compelling?

We currently can't measure information security; the best we can do,
and I use the term with irony, is the common criteria, which say I
have this assurance level that I'm this likely screwed.

As Peter Drucker points out, if you can't measure something, you can't
tell if you're effectively improving it.  So the CFO looks at security
and says "This is a black hole."   Rationally, you want to minimize
costs, because if you don't, you just get a never ending stream of
spending.  (Its similar to software in that regard; you can always fix
a few more bugs, spend a little more, get a little more quality, and
never ship.)

Adam




-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards