Vulnerability Development mailing list archives
RE: Wlan @ bestbuy is cleartext?
From: Ron DuFresne <dufresne () winternet com>
Date: Tue, 7 May 2002 01:07:55 -0500 (CDT)
On Mon, 6 May 2002, Peter Gutmann wrote:
Ron DuFresne <dufresne () winternet com> writes:I think it does a disservice to the info-sec community to have people tasked as 'security' aware administrators constantly doing thes rollouts and constantly turning to the term VPN as a way to expand their security perimiter and policy compliance outwards from the corporate boundries to the homes of endusers and their cars on the road without a full understanding of what they are doing to the defensive perimiters and security policies they are trusted to maintain.In my experience the admins frequently are well aware that the VPNs-everywhere approach is unsound, but are overruled by management or accountants. Those who persist in raising concerns are labelled as troublemakers/non-team-players, and sidelined in future decision-making. Scare stories of this kind, while unfortunate, may be one of the few ways of getting through to management.
It's a problem of security often not being driven from the top down. and this is so common in the IT industry. Some have pointed out how security might well be a finacial burden some companies are well willing to forego and bearout the costs of compromises, seeing it as a cheaper alternative. Many are failing to understand that security can have an impact upon how their corporate image can be percieved to those they do business with, and to their direct customers. And this has been one of the problems faced by a number of very visable security related companies. Image/reputation is a cost sometimes well above what can be bornout by the beancounters and upper managment. HIPPA is going to have a very substantial impact on companies, if the government can find a way to rally audit and validate compliance. So many of those that will have to comply are so far out in left feild of securely managing the information they are tasked with we might well see a fallout of major attempts to get under the security umbrella on par to the issues faced with trying to deal with y2k issues a few years back. Still, alas, few of the admins I've had the 'pleasure' of working with really paid security a serious visual at all. Most seem to have forgotten more then they retained. Afterall security begins with the OS install. And most seem to have learned far too many bad habits to sometimes even adapt when an organization does push security in a top down manner. Often they are more difficult to bring 'onboard' then the end users. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- RE: Wlan @ bestbuy is cleartext?, (continued)
- RE: Wlan @ bestbuy is cleartext? Hundley, Gordon - Princeton (May 02)
- RE: Wlan @ bestbuy is cleartext? OBrien, Brennan (May 02)
- RE: Wlan @ bestbuy is cleartext? Matthew Leeds (May 02)
- RE: Wlan @ bestbuy is cleartext? Ron DuFresne (May 03)
- RE: Wlan @ bestbuy is cleartext? Paul Kierstead (May 03)
- RE: Wlan @ bestbuy is cleartext? Matthew Leeds (May 03)
- RE: Wlan @ bestbuy is cleartext? Ron DuFresne (May 03)
- RE: Wlan @ bestbuy is cleartext? Frank (May 03)
- RE: Wlan @ bestbuy is cleartext? Matthew Leeds (May 02)
- RE: Wlan @ bestbuy is cleartext? Ron DuFresne (May 07)
- RE: Wlan @ bestbuy is cleartext? Matthew Leeds (May 07)