Full Disclosure mailing list archives
(no subject)
From: Jim Burnes <jvburnes () yahoo com>
Date: Thu, 18 Mar 2004 15:05:51 -0800 (PST)
Actually, what is really needed and primarily missing from the security picture is: 1. Risk Analysis/Computation and communication with Business side. 2. INFOSEC department reporting directly to board or CFO with some sort of impedence matched engagement with networking/systems/development. The primary problem with information security is that the business side of most corporations are participating in IT supported markets without knowing what kind of risk they are signing onto. They are essentially swimming in an unknown risk pool. Why is that? Because many IT security departments are buried in the IT infrastructure, where they are immersed in technological solutions. They know they need more budget to do things right, but few have a good quantitative basis for justifying their decisions. Without this, they can't get budget and are reduced to groveling for the table scraps from other IT departments and looking like Chicken Little because they have no rational metrics. (Not that this has ever happened to me ;-) Just about any security solution you can imagine can be resolved by rationally looking at the numbers. Very few people are doing this because engineers don't generally speak business speak and businessmen don't speak geek. *But*, both groups have taken their share of statistics courses and this is the common ground of intelligent risk taking. So the next time someone asks whether Win2K3 is justified, you can speak like an engineer and not a religious fanatic. I know it feels good to say, "XYZ company has *#$# for brains. They don't care about security and are costing us a fortune.". Maybe you are right. Maybe itÂ’s a huge risk and not worth the cost. But think how much more effective you can be if you say, "by using the Fumblewidget System Server we will decrease value at risk by at least $12,000,000 per month." That is something the the business guys can use. Maybe by using the Zorop Web Proxy instead they can enter a market worth $53,000,000 and capture half that in profit. Eventually, they get to decide whether the risk reduction is worth it because, well, that's their job. Maybe you can show them that each security breach of the Zorop system will cost $5,000,000 in damage, lost time and legal costs. The best model for corporate security I can think of is that of a intelligent and capable executive body guard. Staying out of sight for the most part, but ready at a moment's notice. The executive, walking to work says, "I've got to get to the Wall Street Open Market meeting. Let's take a short cut down that alley." The bodyguard says, "Well sir, you know your own business, but there is a 50% probability that you will be beaten severely and probably miss the important trade meeting worth $50 billion. How about I call Skyways Helicopter and have them pick you up and fly you there? It will get you there even faster and the $2000 tab will be nothing compared to missing the meeting." Just like the bodyguard, you have to be able to bring the stats in front of the business risk takers so they can decide. You have to talk to the brains because it does you no good to talk to the executive's foot or hand or mouth. All the foot, hand or mouth understands is that someone gave them orders and you're getting in the way. So to answer your question, MS does what it does because it continues to make vast profits at near zero risk. Since it's the "only game in town"** it essentially transfers its customer's losses due to unanalyzed risk into it's treasury. Quod erat demonstrandum, baby. Of course, I'm sure that the MS story is that they have such a huge value add that it justifies the added risk. Exercise for the student: Use risk analysis to prove them wrong. Does anyone know of any effective (possibly open source), risk analysis model / spreadsheet. jvb security engineer **If I were a truly neutral player in this game I would refer to this as a "natural monopoly", but only the clinically naiive would so delude themselves. The truly dispassionate would probably chalk up the MS advantage to strange attractor theory.
-----Original Message----- From: Ng, Kenneth (US) [mailto:kenng () kpmg com] Sent: Thursday, March 18, 2004 11:18 AM To: 'Schmehl, Paul L';
full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Re: Microsoft
Security, baby steps ?
Totally agree. There is no magic bullet for
security, especially on a
large network. You can have firewalls guarding the
outside, run Anti Virus
against the mail servers, the file servers, and all
the desktops. How
about consultants coming in? How about vendor demos that
need to be plugged
into the network? How about appliance servers where the
vendor claims "you
don't need to patch this", and they are really running W2K
with no service packs
wide open with every service known to mankind
enabled? How about
applications that break because they depend on the
MSSQL SA password being
blank? How about those network aware copiers or fax
machines or
distributed door locks or HVAC (really) systems? Nothing will
catch everything.
Anyone who says so is selling snake oil or hiding
management nightmares. Yes
firewalls and other related hardware help. We also
need software vendors
to stop giving lip service to security and start
actually implementing it.
We need software vendors to start publishing network
protocols so that
firewalls can actually look at the traffic and make
intelligent decisions.
We need software and hardware vendors to stop saying
"security is not our
problem".
__________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (no subject) Jim Burnes (Mar 18)
- mails without subject (was: (no subject)) Nico Golde (Mar 19)
- <Possible follow-ups>
- (no subject) Francisco Medina (Mar 31)
- (no subject) Francisco Medina (Mar 31)