Firewall Wizards mailing list archives
RE: concerning ~el8 / project mayhem
From: Bruce Platt <Bruce () ei3 com>
Date: Mon, 19 Aug 2002 16:02:10 -0400
This has been an enjoyable thread for me. I like the contributions from Tina and Paul here. My only contribution is that I grew up in the industry working for a company with a strong internal set of guidelines, which ended with "When all else fails, do what's right for the customer". Many of us inculcated that. The mentality of charging for patches which aren't needed when you can nuke two ISAPI mapping doesn't square well with that. But that quoted guideline also spurs me to want to tell that CFO about the risks of being penny wise and pound foolish. Not to mix metaphors too much, but the roof may start leaking tomorrow, even if it works well enough now. I like to think that some white hats spend the effort to do this. -----Original Message----- From: Tina Bird [mailto:tbird () precision-guesswork com] Sent: Monday, August 19, 2002 3:06 PM To: Paul Robertson Cc: Dave Piscitello; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] concerning ~el8 / project mayhem On Mon, 19 Aug 2002, Paul Robertson wrote:
That's part of it, but the other point is that very many of the vulnerabilities discovered each year aren't actively exploited, and there's a driver for "find and fix billed by the hour" folks to say patch 1000 *vulnerabilities* instead of upgrading one *product*. Anyone can upgrade say IIS- so companies who spend money with security consultants don't necessarily want to see them fixing things their staffs should so obviously do rather than something that's not a normal part of their admin's duty, or that's so obviously "too much work."
This has become a major credibility issue for the security industry. We've spent years of time and energy finding vulnerable code, creating patches and workarounds for the problems, and in some if not many cases really reducing the chances that a particular network will be compromised. But put your (well loved) CFO or other high level executive hat on. For the vast majority of these individuals, even during a high-impact event like Nimda or SirCam or Melissa, >>their own machines and networks<< were relatively unimpacted. This is clearly an over-simplification, and neglects the vast amounts of time and energy it took to repair the damage from those attacks. But Ms. CFO-of-Fortune-500-company was >>mostly<< able to read her email and get to the Web sites she cared about during those attacks. So her reaction to requests for more money to spend on security is "We don't need it -- things work well enough." This is the direct consequence of what Paul said -- the majority of vulnerabilities aren't ever exploited, and those that are are not visible to the majority of financial decision-makers. As an industry -- or a community of highly intelligent technologists with strong opinions about security -- we've followed a really bad path. So the real questions are: 1) Putting my own and other folks' personal biases aside: >is< network security really a compelling expense for a financially-strapped organization? Clearly the standard dollars-and-sense risk analysis isn't a compelling argument, cos' it's been made for years, and the decision makers are literally not buying it. 2) How can we present what might boil down to a personal bias (or to quote Donald Rumsfeld, "These aren't so much requirements as appetites or desires") in a way which makes the message easier for people whose machines work "well enough" to hear? I suppose we could try to assure that more vulnerabilities >get< exploited, but that leads us right back into that "black hat/white hat" snarl ;-) tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem R. DuFresne (Aug 18)
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Iván Arce (Aug 23)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)
- RE: concerning ~el8 / project mayhem Crispin Harris (Aug 19)
- Re: concerning ~el8 / project mayhem ark (Aug 19)
- RE: concerning ~el8 / project mayhem Kalat, Andrew (ISS Atlanta) (Aug 19)
- RE: concerning ~el8 / project mayhem Bruce Platt (Aug 19)
- Re: concerning ~el8 / project mayhem Antonomasia (Aug 19)
- RE: concerning ~el8 / project mayhem jankowsr (Aug 21)