Firewall Wizards mailing list archives
Re: Going meta (was RE: Ok, so now we have a firewall...)
From: "Dave Piscitello" <dave () corecom com>
Date: Thu, 02 Jun 2005 17:35:52 -0400
If you want to minimize compromise, increase accountability.
Anecdotal evidence from companies I've observed doing a good job
securing networks and systems leads me to conclude that improving
security is a lot like raising children, esp. teens (I have two, lead
youth mission trips but would not claim to be an authority merely an
observer of many situations with positive and negative outcomes).
Given broad choices, little direction, and no consequences, teens are
more likely to choose poorly. Sounds like a "that which is not
prohibited is permitted" policy, doesn't it? But the key that I think
we continue to overlook is that even the practice most list-readers
here believe is better - that which is not expressly permitted is
prohibited - is incomplete.
Where's the accountability and consequence in this policy?
Why don't we start adding quantitative consequences when we murmur
our favorite security mantra?
"that which is not expressly permitted is prohibited
AND
1) "the consequence of intentionally doing what is prohibited is
termination of employment"
2) "the consequence of repeatedly unintentionally doing what is
prohibited is also termination (you are too {stupid | impulsive |
slothful } to be employed here)"
3) "..."
(Marcus has been quite creative on occasion regarding consequences so
he can fill in 3) and beyond).
I'm not being whimsical here. We live in a society where 70% of
people willingly revealed their usernames and passwords for Cadbury
bars. If exposing your organization to attack from an authorized
account is only worth a few bucks. If folks worried that they might
never taste chocolate again, well, maybe security might improve
Google "Low-Tech Password Cracker: ChocolateApril 20, 2004")
On 2 Jun 2005 at 13:36, Marcus J. Ranum wrote:
I am totally sympathetic to the plight of the security practitioner who isn't willing to put his job on the line by telling the CTO he's a moron. I completely understand why people feel they need to compromise. But I still think compromise is for sissies.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right? Mark Tinberg (Jun 01)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (Jun 01)
- <Possible follow-ups>
- RE: Ok, so now we have a firewall, we're safe, right? Bill McGee (bam) (Jun 01)
- Message not available
- Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Message not available
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)