Re: CyberInsecurity: The cost of Monopoly

[Karl DeBisschop <kdebisschop () alert infoplease com>]

On Sun, 2003-09-28 at 04:20, Florian Weimer wrote:
> On Sat, Sep 27, 2003 at 01:12:01PM -0500, Curt Purdy wrote:
>
> > I think we have lost the point of the thread CyberInsecurity: The Cost of
> > Monopoly which states your exact point that diversity is the most important
> > aspect of network protection.
>
> I often hear such claims, but I'd rather see companies to allocate
> adequate resources to deal with a uniform computing environment.
> Currently, most companies with such an environment do not deploy *any*
> countermeasures.  There was a wide range of options to counter the
> recent malware waves, yet many organziations did nothing.

I may have missed something, but as I read it the article was not so
much espousing diversity in the individual workplace as suggest that
diversity be fostered within the ecosystem. Individual comapnies may or
may not be in a postion where diverse networks make sense for them, but
the disversity should not be optional for nation's infratstructure .

> Diversity is good, sure, but unless you can afford the costs of a
> workforce which is equally skilled on very diverse platforms, you just
> make things worse.

Many (most?) large companies do have skilled unix admins and skilled
windows admins on their staff. And ussally there is a good business
reason for such. In that context, you could read the report as 'where
diversity presently exists in a single network, consider carefully
before excising that diversity for small gains - the unquanitifed gains
of diversity may outweigh the anticipated gain'

> Furthermore, some aspects of diversity are already creating huge
> problems, e.g. mobile devices which are not configured according to
> company guidelines, but are nevertheless connected to the company
> network.

Crunchy shell, soft-chewy insides?

If a network is compromised by friendly employees not adhering to
guidelines, what sorts of things could happen when the device and its
operator are not friendly.

There is a school of thought that we can protect out corporate networks
by making each desktop completely uniform. That may be true, but few
companies have a good system for bringing the apps a user needs to their
desktop. So the networks are protected - and the users equally well
protected from doing their job.

I'll stop there - I've seen too much time lost (months of time lost to
web portal testers because AOL was not an approved browser -- inspite of
the fact that 50% of the portal users had AOL). It ticks me off, and I
don't feel I can talk about it without going into flame mode.

-- 
Karl DeBisschop <kdebisschop () alert infoplease com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html