Interesting People mailing list archives
IP: Re: "The Great Hack Attack"
From: David Farber <dave () farber net>
Date: Sat, 10 Mar 2001 15:20:44 -0800
From: ARIAN EVANS <AEVANS () uscentral org> To: "'farber () cis upenn edu'" <farber () cis upenn edu> Subject: RE: Re: "The Great Hack Attack" Dave, thanks for the commentary. Your points are valid and true, for the most part. Where I disagree is mainly matter of opinion. I'll throw a few things out, because I'm curious what your specific thoughts are. This will probably be longer than prudent, but if you have time to peruse it, I'd like your feedback. First I'll clarify a few things: I do have to apologize for the quality of the article posted. I made the decision it was more important to post /something/ than to wait until the weekend when I could post something /well-written/. That was my choice, and I should certainly be held accountable. That said, we agree on a number of points that apparently I either: 1. Failed to qualify clearly, or state coherently 2. Felt were outside the scope of discussion, which I wanted to hold to the specific situation at hand. In a nutshell: Why it happened, and who should be directly accountable. Here's the first thing I'll tackle: ">these e-businesses are in too much of a hurry to use good securitydesign practices, e.g. defense in depth, multi-tier design, protocol-aware firewalls, database design that treats readers and writers differently and limits database operations to specific stored procedures, and using crypto correctly to protect sensitive or private information."1. No, unfortunately, virtually all the e-businesses I've consulted with DON'T do the above (appropriately). They talk about it; they even have documents discussing how they've accounted for it. In many cases, they've purchased and deployed technology to help facilitate the above. In those cases they actually have the right technology, it's very frequently *not* deployed and/or utilized appropriately. This again, is based upon my subjective experience. It is quite feasible that I have seen a skewed sampling of companies, due to the nature of the work they'd call me in for. 2. Your point on monocultures is taken, but not well made (IMO). There is a large degree of 'biological diversity', IMO, in companies who take MS's base platform, and deploy their own custom environments on top of it. My current endeavor is one encompassing a large, heterogeneous environment, with applications designed with a variety of 3rd party tools. MS's products are just one element among an array of products utilized. That's a bit different than a shrink-wrapped operating system and mail server combo, prepackaged from the vendor (which is where I believe your argument applies). The issues with the compromises covered in my article are not directly related to shrink-wrap, OOB product experiences. They are a /direct/ result of neglect and incompetence. Indirectly, yes, MS's software design paradigm puts them in a position where, by mathematical default, they are going to have a large number of vulnerabilities, patches, etc. However much MS is to blame for the underlying issue and their perpetuation of it, the fact remains that all the risks and variables in the current compromise scenarios /were accounted for by Microsoft/. Failure to apply recommended patches, and follow recommended design documents, is the fault of the consumer. ">i'll bet most of them don't have a security policy or any mechanismsfor enforcing one."That's part of the above issue. Security policy and internal mechanisms for enforcing one, are not highly important, but not paramount to security in the Enterprise. Good security practices should account for, and include, design, technology, practices and policy, etc. However, it is possible to have policy and internal procedure (driven by audit, risk-management, etc.) that is very thorough, very specific, and doesn't account for the appropriate things. I couldn't agree more with you that most developers and software vendors are failing to cover the major points of good software design. The exact same argument can be made of security *professionals*, and organizations like the ISSA (I think ISSA has good motivations and intent. However, it's staffed, run, and attracts a large number of people who like to talk and, to use your phrase, 'don't get it'. This observation is based strictly upon the chapters and members I've had the opportunity to work with. I'd also welcome any positive input on ISSA, if you are a member.) I was just involved with a Director of Information Security being removed from a company, after a fairly long series of conflicts. Thanks to the ISSA, he managed to maintain a pretty tight strangle-hold on his position within the organization (Internal Audit personnel, and several other influential members of the organization are ISSA chapter sponsors/members. Most of them, including this director, are CISSP's). He took his magic show on the road, and is now Director of Information Security for one of the larger e-commerce companies on the web. Now, I happen to like the guy, he means well, and can speak very articulately about security. However, he doesn't understand technology at all, can't prioritize risk (essential!), and lacks the ability to balance business-driven requirements with pure technology concerns (which most pure *technologists* do). People like this are driving the security industry, and IMO that's a much bigger concern than technology. Most of the rest of what you state I implicitly agree with, and again, am clearly at fault that I didn't communicate that appropriately in my article. Hopefully I didn't intrude by sending you an email of this length, and there are elements contained in dialogue towards the latter part of the email I'd prefer remained 'internal dialogue', as hopefully you'd understand. Thanks for your time, Arian
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Re: "The Great Hack Attack" David Farber (Mar 10)
- <Possible follow-ups>
- IP: Re: "The Great Hack Attack" David Farber (Mar 10)