Re: Going meta (was RE: Ok, so now we have a firewall...)

["Marcus J. Ranum" <mjr () ranum com>]

Dave Piscitello wrote:
> If you want to minimize compromise, increase accountability.

*Absolutely*

I think hardly a month goes by in which I don't make myself unpopular
with a comment in SANS' "Newsbytes" along the lines of "some senior
IT manager needs to be fired" whenever there's an article about some
new security failure in a federal agency. When you look at the shabby
state of federal government security it totally reflects your observation:
there are no downsides to being lame, and being lame is easy, so
everyone is lame.

This is one of those cases where "bring in the lawyers" is not the
answer. Just fire off some pink slips heading for the top of the chain
of management, and the message will get across very quickly.

Want to know something shocking that won't surprise anyone on
this list?  I've yet to hear of a senior IT manager or business unit
manager and *especially* no federal IT manager that lost their job
over one of the big-name worm infections.  Here we all heard horror
stories of mission critical networks augering into the ground, ATM
networks taken off line, web sites flooded, etc. A lot of the system
and network guys in the trenches got hammered and lost their
weekends but did any CTOs get whacked for overseeing the
construction of a network that's so lame it can't resist a worm?
Did any IT managers lose their jobs for having blown off their
security guys who said, "hey... moron... default deny, get it?"
Of course not.

I can't count the number of times I've heard security guys tell
me about having Some Dumb Thing Or Other done on their
network in spite of their better advice. Balance that against
the fact that I've never ONCE heard of a head rolling because
the security guy's advice was ignored. So what message does
that send?

Yeah, accountability would be good. 

[Permit versus deny logic]
> Where's the accountability and consequence in this policy?

Accountability only matters in a technical environment where
it's possible to choose between doing the right thing and doing
the wrong thing. At a management level, then, accountability
makes sense. At the technology level, it doesn't. Technology
should be configured to only allow the right thing.

> Why don't we start adding quantitative consequences when we murmur 
> our favorite security mantra?
>
> "that which is not expressly permitted is prohibited 
>
> AND
>
> 1) "the consequence of intentionally doing what is prohibited is 
> termination of employment" 

This should have always been the case. Usually we want to
assume it is. I always find it amazing when such rules are not
scrupulously enforced. If you don't enforce them, why make them?
And, if you've made them, why even allow an option of ignoring
them?

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards