Firewall Wizards mailing list archives
Re: Going meta (was RE: Ok, so now we have a firewall...)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Jun 2005 19:57:30 -0400
Dave Piscitello wrote:
If you want to minimize compromise, increase accountability.
*Absolutely* I think hardly a month goes by in which I don't make myself unpopular with a comment in SANS' "Newsbytes" along the lines of "some senior IT manager needs to be fired" whenever there's an article about some new security failure in a federal agency. When you look at the shabby state of federal government security it totally reflects your observation: there are no downsides to being lame, and being lame is easy, so everyone is lame. This is one of those cases where "bring in the lawyers" is not the answer. Just fire off some pink slips heading for the top of the chain of management, and the message will get across very quickly. Want to know something shocking that won't surprise anyone on this list? I've yet to hear of a senior IT manager or business unit manager and *especially* no federal IT manager that lost their job over one of the big-name worm infections. Here we all heard horror stories of mission critical networks augering into the ground, ATM networks taken off line, web sites flooded, etc. A lot of the system and network guys in the trenches got hammered and lost their weekends but did any CTOs get whacked for overseeing the construction of a network that's so lame it can't resist a worm? Did any IT managers lose their jobs for having blown off their security guys who said, "hey... moron... default deny, get it?" Of course not. I can't count the number of times I've heard security guys tell me about having Some Dumb Thing Or Other done on their network in spite of their better advice. Balance that against the fact that I've never ONCE heard of a head rolling because the security guy's advice was ignored. So what message does that send? Yeah, accountability would be good. [Permit versus deny logic]
Where's the accountability and consequence in this policy?
Accountability only matters in a technical environment where it's possible to choose between doing the right thing and doing the wrong thing. At a management level, then, accountability makes sense. At the technology level, it doesn't. Technology should be configured to only allow the right thing.
Why don't we start adding quantitative consequences when we murmur our favorite security mantra? "that which is not expressly permitted is prohibited AND 1) "the consequence of intentionally doing what is prohibited is termination of employment"
This should have always been the case. Usually we want to assume it is. I always find it amazing when such rules are not scrupulously enforced. If you don't enforce them, why make them? And, if you've made them, why even allow an option of ignoring them? mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Ok, so now we have a firewall, we're safe, right?, (continued)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (Jun 01)
- RE: Ok, so now we have a firewall, we're safe, right? Bill McGee (bam) (Jun 01)
- Message not available
- Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Message not available
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 04)