RE: concerning ~el8 / project mayhem

[Bruce Platt <Bruce () ei3 com>]

This has been an enjoyable thread for me.

I like the contributions from Tina and Paul here.

My only contribution is that I grew up in the industry working for a company
with a strong internal set of guidelines, which ended with "When all else
fails, do what's right for the customer".  Many of us inculcated that.

The mentality of charging for patches which aren't needed when you can nuke
two ISAPI mapping doesn't square well with that.  But that quoted guideline
also spurs me to want to tell that CFO about the risks of being penny wise
and pound foolish.  Not to mix metaphors too much, but the roof may start
leaking tomorrow, even if it works well enough now.  I like to think that
some white hats spend the effort to do this.



-----Original Message-----
From: Tina Bird [mailto:tbird () precision-guesswork com]
Sent: Monday, August 19, 2002 3:06 PM
To: Paul Robertson
Cc: Dave Piscitello; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] concerning ~el8 / project mayhem


On Mon, 19 Aug 2002, Paul Robertson wrote:

> That's part of it, but the other point is that very many of the
> vulnerabilities discovered each year aren't actively exploited, and
> there's a driver for "find and fix billed by the hour" folks to say patch
> 1000 *vulnerabilities* instead of upgrading one *product*.  Anyone can
> upgrade say IIS- so companies who spend money with security consultants
> don't necessarily want to see them fixing things their staffs should so
> obviously do rather than something that's not a normal part of their
> admin's duty, or that's so obviously "too much work."

This has become a major credibility issue for the security industry.
We've spent years of time and energy finding vulnerable code, creating
patches and workarounds for the problems, and in some if not many cases
really reducing the chances that a particular network will be compromised.

But put your (well loved) CFO or other high level executive hat on.  For
the vast majority of these individuals, even during a high-impact event
like Nimda or SirCam or Melissa, >>their own machines and networks<< were
relatively unimpacted.  This is clearly an over-simplification, and
neglects the vast amounts of time and energy it took to repair the damage
from those attacks.  But Ms. CFO-of-Fortune-500-company was >>mostly<<
able to read her email and get to the Web sites she cared about during those
attacks.

So her reaction to requests for more money to spend on security is "We
don't need it -- things work well enough."

This is the direct consequence of what Paul said -- the majority of
vulnerabilities aren't ever exploited, and those that are are not visible
to the majority of financial decision-makers.

As an industry -- or a community of highly intelligent technologists with
strong opinions about security -- we've followed a really bad path.  So
the real questions are:

1) Putting my own and other folks' personal biases aside:  >is< network
security really a compelling expense for a financially-strapped
organization?  Clearly the standard dollars-and-sense risk analysis isn't
a compelling argument, cos' it's been made for years, and the decision
makers are literally not buying it.

2) How can we present what might boil down to a personal bias (or to quote
Donald Rumsfeld, "These aren't so much requirements as appetites
or desires") in a way which makes the message easier for people whose
machines work "well enough" to hear?

I suppose we could try to assure that more vulnerabilities >get<
exploited, but that leads us right back into that "black hat/white hat"
snarl ;-)

tbird

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards