Another brick in the wall: Fighting a losing battle on the front lines of security

[InfoSec News <isn () C4I ORG>]

http://www-4.ibm.com/software/developer/library/su-wall.html

[Excellent article well worth handing out around the office, I'm
planning to include this for a class I'm teaching next week! -WK]

by: Brian Martin
DSIC Security Group
July 2000

You sacrifice convenience for security and security for convenience.
For which goal was your computer network built?

Security? Oops!

In the realm of human endeavor, there is usually a simple logic
applied to the process of building things. This logic is seen in the
way houses, computers, a even cans of mandarin oranges are built. We
do not near completion of the production of these items only to
attempt to squeeze in some vital element that was meant to be first.
Foundations are not built after finishing the roof, processors are not
seated after the case has been secured, and oranges are not added
after the can has been sealed. Yet, when security is considered, this
simple application of logic seemingly fails on a majority of computer
networks.

We must identify one caveat when addressing this issue. Most computer
networks (especially the Internet) were first designed with an open
philosophy -- one of sharing information freely with anyone who needed
it. Security was the little known hobby of a few geeks who enjoyed the
cat and mouse game of "hacking" and securing machines. It's hard to
pin down exactly when security became the big push in corporate
America, but I think it safe to say it publicly surfaced in the last
three or four years.

Just as the Internet had been, five- and ten-year-old corporate
networks, when new, were built for connectivity and convenience. As a
general rule, you sacrifice convenience for security and security for
convenience. The more unrestricted the access you enjoy, the less
security is present on the network. Networks built from the ground up
with all aspects in mind, especially security, enjoy a stronger
foundation.

A losing battle

The real suffering surrounding network security can be found in the
system administrator population, which is now playing catch-up. For
years, the cries from above were for functionality. Integrate this,
introduce this new technology, give us the ability to read sensitive
corporate mail from our personal American Online (AOL) accounts.
Management worldwide didn't care how things were done or what changes
had to be made, they just wanted everything to be easy!

With the media and fledgling security companies preaching about the
benefits of and need for good security, administrators are scrambling.
Armed with a new corporate directive, administrators must weed through
hundreds of self-proclaimed experts and thousands of inadequate Web
sites to find pieces of the security puzzle. Missing the overall
philosophy of security, they often become consumed with nit-picky
details and technical countermeasures that are not always appropriate
for their network. Network administrators today are simply fighting a
losing battle, plugging each springing hole in their dam.

The advice everyone asks for

Between security consulting by day, and running a nonprofit
security-oriented Web site at night, I get asked a lot of questions.
The second most-asked question (after "How do I hack?" which is
ignored) comes from system administrators all over, who ask: "How do I
secure my system?"

[...]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".