Re: Ok, so now we have a firewall, we're safe, right?

[Chris Blask <chris () blask org>]

Hey Fritz!

At 08:23 AM 5/31/2005, Fritz Ames wrote:
> Ben,
>         Along with the part that stays the same is the part about getting 
> a business to change its approach to security, or, "How does the security 
> zealot at the company sell their position?"  Sure it sells faster 
> (somewhat, and for a little while) when there is a traumatic event, but 
> then the large-scale traumatic events, as you pointed out, have been mere 
> nuisances to-date.  How does our hero pitch the solution to preventing 
> anihilation by the 
> "Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge 
> on-the-way-out" trojan?

Well, it isn't easy.

People don't worry about theoretical threats very much, and usually they 
are proven right.  Even if someone else does lose an arm eventually, they 
all pause, someone develop the Arm-Shield [tm], they are installed on all 
new Things and people go back to doing the same stuff with new gear.

We got a problem because:

o  we haven't designed all the gear we need, yet
o  most of what we have isn't finished
o  the people using our toy have gotten way ahead of us
o  they only vaguely know how to use what we've given them
o  and they don't know which bits of flooring are just old particle board 
someone threw down on their way to fixing a roller coaster.

But we built the thing for them ("they" include your parents and children, 
so don't deny it), therefore we can't get too annoyed with them.  We just 
hafta keep building as it's being used and trying to get the causualty rate 
down from the "Drunk Freehand Rock Climbing" level to somewhere around 
bungee jumping...

>         It's the  same old problem.  "Here's your new fire extinguisher 
> budget..."  I get the sense that *really* going after the education of 
> the users is the opportunity to make the biggest difference.  (The 
> biggest difference?  Really?)

Yes.

>  Savvy users will be less likely to click on that link to Hades.  Savvy 
> users who run companies will have better ideas of how to evaluate their 
> risks and their mitigations--and spend their dollars more 
> carefully.  Savvy users who run companies and who read "MJR/Fred/Paul" 
> will buy less marketing hype, less BS process and documentation 
> masquerading as security, and more secure systems.  Savvy network admins 
> will...  Savvy DB folks will...  Savvy Web site folks will...  Savvy 
> developers will...  All those folks out there who are busy doing their 
> jobs, getting things done, building real stuff, and who haven't had time 
> or inclination to really get security will catch on and...

Sounds corny, eh? :-)

Still true.

>         OK, so this has been tried before.  ...or has it?

Not really (the Queen of Ants would say "never in the history of time").

.d.
>   There's got to be some kind of candy to lure people in to like learning it.

There's lots of candy, it's just a big job.  Security is sexy and exciting 
- we're lucky in a way because *everyone* has had a conversation about 
hackers (or seen a bad movie), and has a base set of memes.  Those memes 
are as well developed as "green men live on Mars", but at least they know 
that Mars is a planet and have some concept of what that means, so giving 
them a working understanding of the universe isn't impossible.

[I've been doing this with a series of nieces and nephews for a decade or 
so now with general success, despite the dreck of superstition, heresay and 
base falsehoods they otherwise vaguely acquire.  "Universe go boom, no-one 
discernible says 'let there be Helium!', dust clumps up, 1st gen 
stars=Heavy Metals, 2nd gen stars=Michelangelo.  Welcome to Entropy, enjoy 
your stay." :-]

>         So increasing security awareness isn't directly relevant to 
> firewall technology ...in the hardware sense.  But if not us, who?  If 
> not now, when?  Ah!  To heck with it.  I can't make it work if better 
> minds than mine haven't succeeded in this area.  Please pass the fire 
> extinguisher...

There aren't better minds than yours, and if there are, half an effort by 
ten people carrying Clue badges is likely to have more effect than heroic 
efforts by an Einstein.

It's just a long bloody walk carrying a really heavy pack with pointy bits 
in the wrong places while occasionally getting yelled at for it by people 
who don't know where you are going, what you are carrying or why, but who 
benefit from your efforts.  If you notice, people say thanks and bring you 
a beer sometimes as well - and you like the work or you wouldn't be dong 
it, so it's not all that bad a lifestyle.

Go sailing for a year if you have to, but don't give up the fight.  As far 
as work goes, infosec beats coding business apps (or carrying heavy packs) 
by a mile.

-cheers!

-chris


Chris Blask
chris () blask org
http://blaskworks.blogspot.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards