Dailydave mailing list archives
Re: Hacking: As American as Apple Cider
From: "Hackling, Matthew (AU - Melbourne)" <mhackling () deloitte com au>
Date: Mon, 12 Sep 2005 11:53:53 +1000
After reading Marcus's The Six Dumbest Ideas in Computer Security and especially #3 and the minor dumbs the main reason for poor computer security came up in my mind... ECONOMICS! An organisation's/vendor's security spend and hence implementation of security controls is dependent on their risk appetite. For example I was amazed that one of my manufacturing clients told me they could deal with their computer network being out of commission due to a network worm for up to 3 days. But their point of view started to sink in after they explained that it was more cost effective for them to lose their network once a year for a day or so rather than spending multi-millions on buying new routers to implement network segregation, thousands of new PCs so that they could implement a standard operating environment, and upgrading their WAN links to enable managed patch deployment. This client had an aggressive risk appetite. Whereas a bank I work with told me that they could estimate the multi-million dollar change in stock price that would result from a media report of any outage of the financial system we were working on. Hence they spent a lot of effort on security testing, security technology, redundancy etc. This client had a conservative risk appetite. I often work on security testing for online banking systems for banking clients, where we perform security design review and acceptance testing. On a $50M project we can usually expect a $400K engagement. That's less than 1%. Now take for example a vendor of an application/operating system etc. Their business model is to spend $100M on developing a product, $100M on marketing, shrink wrapping the product at a cost of $10 per product and sell it 1000000 times at a cost of $1000 until it makes $1000M. Now what will make their product more marketable, sitting on a shelf? More features than the competition? Or Better security than the competition? Who will get the finite amount of developer time allowed by the budget? New features or securing old features? Their security can't be so bad that no-one will buy their product, but having average of less than average security will not financially disadvantage the vendor. And when you have a monopoly where only one vendor dominates, there is no financial incentive for innovation or for improving security. Now a vendor is going to have the most aggressive risk appetite of any of these organizations! They don't have anything to lose! So one out of 1000 customers want a refund because of a security problem, no problems, the product will still deliver on budget. Most customers will just wait for a patch, that will take a few hundred hours to put together, in down-time between releases, so "penetrate and patch" makes economic sense for them. Minor dumbs... "Let's go production with it now and we can secure it later" - no, you won't. A better question to ask yourself is "If we don't have time to do it correctly now, will we have time to do it over once it's broken?" Sometimes, building a system that is in constant need of repair means you will spend years investing in turd polish because you were unwilling to spend days getting the job done right in the first place. "We can't stop the occasional problem" - yes, you can. Would you travel on commercial airliners if you thought that the aviation industry took this approach with your life? I didn't think so. # 3 Penetrate and Patch "One clear symptom that you've got a case of "Penetrate and Patch " is when you find that your system is always vulnerable to the "bug of the week." It means that you've put yourself in a situation where every time the hackers invent a new weapon, it works against you. Doesn't that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind." Matthew Hackling B.Sc. (Security) CISSP Client Manager Security Services Group Deloitte Direct: +61 3 208 6610 Fax: +61 3 208 7001 Mobile: +61 402288599 mhackling () deloitte com au www.deloitte.com.au 180 Lonsdale Street Melbourne Victoria This email and any attachments to it are confidential. You must not use, disclose or act on the email if you are not the intended recipient. Liability limited by a scheme approved under Professional Standards Legislation. Deloitte is a member of Deloitte Touche Tohmatsu (a Swiss Verein). As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche Tohmatsu", or other related names. Services are provided by the member firms or their subsidiaries and affiliates and not by the Deloitte Touche Tohmatsu Verein.
Current thread:
- Re: Hacking: As American as Apple Cider, (continued)
- Re: Hacking: As American as Apple Cider Nick Drage (Sep 14)
- RE: Hacking: As American as Apple Cider Fergie (Paul Ferguson) (Sep 09)
- Re: Hacking: As American as Apple Cider Nate McFeters (Sep 09)
- RE: Hacking: As American as Apple Cider Kyle Quest (Sep 09)
- Re: Hacking: As American as Apple Cider Marcus J. Ranum (Sep 09)
- Re: Re: Hacking: As American as Apple Cider Dinis Cruz (Sep 11)
- Re: Re: Hacking: As American as Apple Cider Gadi Evron (Sep 11)
- Re: Re: Hacking: As American as Apple Cider Dustin D. Trammell (Sep 13)
- Re: Re: Hacking: As American as Apple Cider Barrie Dempster (Sep 14)
- Re: Re: Hacking: As American as Apple Cider Dinis Cruz (Sep 11)
- RE: Re: Hacking: As American as Apple Cider Kyle Quest (Sep 09)
- Re: Hacking: As American as Apple Cider Hackling, Matthew (AU - Melbourne) (Sep 11)