Firewall Wizards mailing list archives
Re: iso 17799
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 21 Jul 2004 06:13:40 -0400 (EDT)
On Tue, 20 Jul 2004, Marcus J. Ranum wrote:
Well, there are 2 ways to negate 90% of your risk: a) do a few simple, obvious things that are not very fun
Hey, they're perfectly fun if you get to make lusers whine by doing them!
-or- b) spend a ton of money on products and process Let me try to explain it a different way: Computer security, as it's done today by most practitioners, is fundamentally a con. It's a con the same way that most diet foods
I don't think it's that pointed. The products generally do what they're supposed to (unless they're new, then they generally do some of what they're supposed to, but not nearly enough to be complete...) It's just that what they're supposed to do is generally not the most efficient way to reduce risk. [snip]
Well, security's the same way: if you only do smart safe stuff, you won't get hacked. If you buy a $100,000 security doo-dad that makes sure you only do smart safe stuff, you won't get hacked.
See, that "makes sure" bit is the key- and the main issue is that people tend to think that saying "no." is difficult, so they'll go spend lots of money instead of using a two letter word. Here's the typical conversation at my last company: Supplicant: "Hey! I've got a great idea that'll save us money and make new business and be really cool!" Paul: "No." Supplicant's boss: "Hey! $luser's got this great idea..." Paul: "No." Whining chorus: "Whyyyyyy not?????" Paul: "It's against my security policy." $flackey: "$CEO wants to be able to IM his kids..." Paul: "No." $flackey: "But he's the CEO!" Paul: "Yes, he is. No." See, that single syllable is seen as "politically expensive," and rather than uttering it to folks far and wide, there's a drive to go buy something that makes $dangerous_thing possible, and either tells you when something bad happened, or tries to stop something bad from happening.
But the actual presence of the $100,000 doo-dad has relatively little to do with it other than making the vendor happy and giving the stupid suits you work for something to point at that has neat-o blinky lights. It's a con.
I think it's got more to do with the above than with blinky lights. I think we lost the blinky light phase ~5 years ago.
Simple, obvious things: 1) Make your network originate-only except for a very very very very (is that enough "very"s?) small handful of services a) lock down those services b) log usage of those services c) put error detection into service-specific places on those services (hey, you can even call it "intrusion detection" if you want to make Gartner happy)
d) Separate those services from the network around them as much as possible.
2) Know what's going on in your network a) know who normally talks to whom
Unessesary. Allow only those things which need to talk to each other to do so. Segment by segment is good enough.
b) log usage of your network and look at those logs
Nobody does it, nobody can do it on a reasonably large network.
c) know your security policy as well as normal usage d) look in your logs for indications that your policy is being violated (burglar alarms)
Spoken like an ex-alarm salesman ;) Test your controls. If they can't do it, then there's an argument for ignoring all but the most flagrant attempts. It is good however, to spot-check and apply corrective action to those who'd do it their way- as it discourages a great deal of experimentation. I used to like to show up at someone's boss' office, get the miscreant in there, then say "Can you explain why you were trying to log into my firewall..."
3) Your policy should be "deny all"
Clarification: Your INBOUND *AND* OUTBOUND policy should be...
a) only permit it if it needs to be permitted 4) Internally compartment your network a) mission critical machines should be behind screening routers, on separate networks, with a bare minimum (zero is a good start..) of services back and forth b) audit all traffic between mission critical systems and non-critical systems
Spoken like an auditor! ;) [snip]
d) production systems 101: 10 SET IT UP 20 MAKE IT WORK
25 BACK UP THE CONFIGURATION NOW
30 IF WORKING THEN 40 DON'T F- WITH IT 50 ENDIF 60 IF NOT WORKING 70 FIX IT 80 GOTO 20 90 ENDIF it's that BASIC (ok, that was a bad one...) 10) Why on earth would you have roaming users connecting straight into your corporate WAN after they have been at home surfing pornsites and downloading Warez? a) mobile users go on a separate network 11) Antivirus software is good a) updating it 4X / day is not necessary b) updating it 1X / week works fine but especially when combined with stripping attachments (see above) 12) No, your users do NOT need that stupid new chat/file sharing/ net-meeting/remote-control/powerpoint sales tool/virtual FAX garbage - it IS dangerous
IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday.
I think it's just a logic flaw: We don't know what to do, so we need someone to tell us- if they tell us the same thing every time, it must be right- let's make that a standard, because if everyone else does it, it must be right! Only in IT is everyone else doing it a good reason for jumping off a cliff.
Well, part of it is because some of us (heya Paul! Fred! Steve! Michael!) have been singing basically the same song for ever.
It's the NO song! "No! No! No! Not on MY network! No! No! No!"
I published a few verses of it above. We've been singing the song through rain and snow and we've been right all along. And when people ask for a solution, what they're really saying is "We don't LIKE the rules of the jungle! Surely if I just buy this new $100,000 doo-dad then I can rewrite them so they no longer apply to me!" Nu-huh.
I think the success of that particular issue is due to the "the chance of this particular piece of risky behavior causing me harm is so low that I can do it and say 'yeah, but nothing happened to me!' and blame my success on either saying yes, or that Intrudomorphic Security Network Hall Monitor 5000. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)