Re: iso 17799

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 20 Jul 2004, Marcus J. Ranum wrote:

> Well, there are 2 ways to negate 90% of your risk:
>         a) do a few simple, obvious things that are not very fun

Hey, they're perfectly fun if you get to make lusers whine by doing them!

>         -or-
>         b) spend a ton of money on products and process
>
> Let me try to explain it a different way:
>         Computer security, as it's done today by most practitioners, is
> fundamentally a con. It's a con the same way that most diet foods

I don't think it's that pointed.  The products generally do what they're
supposed to (unless they're new, then they generally do some of what
they're supposed to, but not nearly enough to be complete...)  It's just
that what they're supposed to do is generally not the most efficient way
to reduce risk.

[snip]

> Well, security's the same way: if you only do smart safe stuff,
> you won't get hacked. If you buy a $100,000 security doo-dad
> that makes sure you only do smart safe stuff, you won't get hacked.

See, that "makes sure" bit is the key- and the main issue is that people
tend to think that saying "no." is difficult, so they'll go spend lots of
money instead of using a two letter word.

Here's the typical conversation at my last company:

Supplicant:  "Hey!  I've got a great idea that'll save us money and make
new business and be really cool!"

Paul: "No."

Supplicant's boss: "Hey!  $luser's got this great idea..."

Paul: "No."

Whining chorus: "Whyyyyyy not?????"

Paul: "It's against my security policy."

$flackey: "$CEO wants to be able to IM his kids..."

Paul: "No."

$flackey: "But he's the CEO!"

Paul: "Yes, he is.  No."

See, that single syllable is seen as "politically expensive," and rather
than uttering it to folks far and wide, there's a drive to go buy
something that makes $dangerous_thing possible, and either tells you when
something bad happened, or tries to stop something bad from happening.

> But the actual presence of the $100,000 doo-dad has relatively
> little to do with it other than making the vendor happy and giving
> the stupid suits you work for something to point at that has
> neat-o blinky lights. It's a con.

I think it's got more to do with the above than with blinky lights.  I
think we lost the blinky light phase ~5 years ago.

>         Simple, obvious things:
>         1) Make your network originate-only except for a very very
>                 very very (is that enough "very"s?) small handful
>                 of services
>                 a) lock down those services
>                 b) log usage of those services
>                 c) put error detection into service-specific places on
>                         those services (hey, you can even call it
>                         "intrusion detection" if you want to make
>                         Gartner happy)
                  d) Separate those services from the network around them
                     as much as possible.

>         2) Know what's going on in your network
>                 a) know who normally talks to whom

Unessesary.  Allow only those things which need to talk to each other to do
so.  Segment by segment is good enough.

>                 b) log usage of your network and look at those logs

Nobody does it, nobody can do it on a reasonably large network.

>                 c) know your security policy as well as normal usage
>                 d) look in your logs for indications that your policy is
>                         being violated (burglar alarms)

Spoken like an ex-alarm salesman ;)

Test your controls.  If they can't do it, then there's an argument for
ignoring all but the most flagrant attempts.  It is good however, to
spot-check and apply corrective action to those who'd do it their way- as
it discourages a great deal of experimentation.

I used to like to show up at someone's boss' office, get the miscreant in
there, then say "Can you explain why you were trying to log into my
firewall..."


>         3) Your policy should be "deny all"

Clarification:  Your INBOUND *AND* OUTBOUND policy should be...

>                 a) only permit it if it needs to be permitted
>         4) Internally compartment your network
>                 a) mission critical machines should be behind
>                         screening routers, on separate networks,
>                         with a bare minimum (zero is a good start..)
>                         of services back and forth
>                 b) audit all traffic between mission critical systems and
>                         non-critical systems

Spoken like an auditor!  ;)

[snip]

>                 d) production systems 101:
>                         10 SET IT UP
>                         20 MAKE IT WORK
                          25 BACK UP THE CONFIGURATION NOW
>                         30 IF WORKING THEN
>                         40      DON'T F- WITH IT
>                         50 ENDIF
>                         60 IF NOT WORKING
>                         70      FIX IT
>                         80      GOTO 20
>                         90 ENDIF
>                         it's that BASIC (ok, that was a bad one...)
>         10) Why on earth would you have roaming users connecting
>                 straight into your corporate WAN after they have been
>                 at home surfing pornsites and downloading Warez?
>                 a) mobile users go on a separate network
>         11) Antivirus software is good
>                 a) updating it 4X / day is not necessary
>                 b) updating it 1X / week works fine but especially
>                         when combined with stripping attachments
>                         (see above)
>         12) No, your users do NOT need that stupid new chat/file sharing/
>                 net-meeting/remote-control/powerpoint sales tool/virtual FAX
>                 garbage - it IS dangerous

> > IMO, the 'push for standards' is because the field is exploding AND
> > maturing and many, many, newbies are being thrown in to the fire everyday.

I think it's just a logic flaw:  We don't know what to do, so we need
someone to tell us- if they tell us the same thing every time, it must be
right- let's make that a standard, because if everyone else does it, it
must be right!

Only in IT is everyone else doing it a good reason for jumping off a
cliff.

> Well, part of it is because some of us (heya Paul! Fred! Steve!
> Michael!) have been singing basically the same song for ever.

It's the NO song!  "No! No! No! Not on MY network! No! No! No!"

> I published a few verses of it above. We've been singing the
> song through rain and snow and we've been right all along.
> And when people ask for a solution, what they're really saying
> is "We don't LIKE the rules of the jungle! Surely if I just buy
> this new $100,000 doo-dad then I can rewrite them so they
> no longer apply to me!"   Nu-huh.

I think the success of that particular issue is due to the "the chance of
this particular piece of risky behavior causing me harm is so low that I
can do it and say 'yeah, but nothing happened to me!' and blame my success
on either saying yes, or that Intrudomorphic Security Network Hall Monitor
5000.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards