Re: Worms, Air Gaps and Responsibility

[Devdas Bhagat <devdas () dvb homelinux org>]

On 06/05/04 10:34 -0400, Paul D. Robertson wrote:
> On Wed, 5 May 2004, Carson Gaspar wrote:
>
> > I agree. My response was to you're "what excuse do they have" question. In
> > my specific industry, they have a bunch. Most other industries don't make
> > every single dollar based on timely, accurate, electronic information. When
> > your entire business is manipulating flows of information, based on other
> > flows of information, limiting who can see what is a very tough job. Not
> > impossible, but extremely difficult, and very expensive.
>
> But by the same token, that makes a massive network/node failure all that
> more expensive- at some stage, we have to start taking infrastructure
> seriously, and I'd argue that it's businesses that rely on infrastructure
> so heavily that need to be in front of it.
How many businesses see good infrastructure as an asset, rather than a
cost? I would say that most businesses that I have had to deal with have
seen infrastructure as a cost to be minimised, rather than as a
necessary asset with associated costs. And even for those who do think
of it as infrastructure, the idea is to have one time capital
expenditure and low operating expenses, as with all other types of
captial investments.

> I understand where you're coming from, I'd just like to see us all make
> more coordinated and extensive efforts to revisit the "connectivity trumps
> all" mantra.
Let me ask a harder question: How do you get the horse to drink?
Connectivity shows profits in the balance sheet. Security shows up as
expenses. Lack of downtime does not show up.
 
> Maybe I'm too optimistic, but I always used incidents like this last worm
> to get policy changes, validate the usefulness of controls when we didn't
> get hit, and generally give the senior execs ammo to crow about how well
> done their practical support of security programs was.
What is needed is a way to convert security benefits into balance sheet
numbers. Once we work out a useful formula for that, then we can
actually hope for some beneficial changes in the mindset of business
management.

Note that having one cheap administrator dedicated to cleaning up viruses
often works out cheaper than having an antivirus everywhere and kept up
to date. What Blaster really did was knock out the network, so that
no one was able to work. That cost is visible. The cost of adequate
security to prevent events like that happening again is known. 

What is the risk of another worm as bad as that hitting networks
repeatedly a few times, until the cost of /not/ patching goes above the
cost of maintaining proper security?

Perhaps we really need a few lousily coded worms which take down the
Internet. One hitting on ports 25, 80 and 443 would be really interesting 
and scary.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards