RE: Wlan @ bestbuy is cleartext?

[Ron DuFresne <dufresne () winternet com>]

On Mon, 6 May 2002, Peter Gutmann wrote:

> Ron DuFresne <dufresne () winternet com> writes:
>
> > I think it does a disservice to the info-sec community to have people tasked
> > as 'security' aware administrators constantly doing thes rollouts and
> > constantly turning to the term VPN as a way to expand their security perimiter
> > and policy compliance outwards from the corporate boundries to the homes of
> > endusers and their cars on the road without a full understanding of what they
> > are doing to the defensive perimiters and security policies they are trusted
> > to maintain.
>
> In my experience the admins frequently are well aware that the VPNs-everywhere
> approach is unsound, but are overruled by management or accountants.  Those who
> persist in raising concerns are labelled as troublemakers/non-team-players, and
> sidelined in future decision-making.  Scare stories of this kind, while
> unfortunate, may be one of the few ways of getting through to management.

It's a problem of security often not being driven from the top down.  and
this is so common in the IT industry.  Some have pointed out how security
might well be a finacial burden some companies are well willing to forego
and bearout the costs of compromises, seeing it as a cheaper alternative.
Many are failing to understand that security can have an impact upon how
their corporate image can be percieved to those they do business with, and
to their direct customers. And this has been one of the problems faced by
a number of very visable security related companies.  Image/reputation is
a cost sometimes well above what can be bornout by the beancounters and
upper managment.  HIPPA is going to have a very substantial impact on
companies, if the government can find a way to rally audit and validate
compliance.  So many of those that will have to comply are so far out in
left feild of securely managing the information they are tasked with we
might well see a fallout of major attempts to get under the security
umbrella on par to the issues faced with trying to deal with y2k issues a
few years back.

Still, alas, few of the admins I've had the 'pleasure' of working with
really paid security a serious  visual at all.  Most seem to have
forgotten more then they retained.  Afterall security begins with the OS
install.  And most seem to have learned far too many bad habits to
sometimes even adapt when an organization does push security in a top down
manner.  Often they are more difficult to bring 'onboard' then the end
users.


Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.