Home page logo
/

basics logo Security Basics mailing list archives

WG: Firewall configuration statistics
From: Meidinger Christopher <christopher.meidinger () badenIT de>
Date: Wed, 25 Jun 2003 15:53:22 +0100

Opps, forgot to reply to all

-----Ursprüngliche Nachricht-----
Von: Meidinger Christopher 
Gesendet: Wednesday, June 25, 2003 2:41 PM
An: 'security () rexwire com'
Betreff: AW: Firewall configuration statistics


The number of companies that have a dedicated connection to the internet and
no firewall is infinitesimal. I suspect that 100% (or 99.99999%) of all
companies hacked had a firewal, and 90% of then were hacked across the
firewall, against 10% that were hacked over dialup/trojans/etc.

And, i feel bad prolonging this discussino, but you didn't listen to us
either. We were saying there might be more effective marketing strategies
than statistics which cannot be proven one way or another. Nobody (except
maybe that first offensive poster early on) is against you. Rather, we were
hoping to help you improve your marketing tactics by considering the
(relatively) unique attributes of the security market.

badenIT GmbH 
System Support 
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Ursprüngliche Nachricht-----
Von: security () rexwire com [mailto:security () rexwire com]
Gesendet: Wednesday, June 25, 2003 1:33 PM
An: christopher.meidinger () badenIT de; eckman () umn edu;
des.ward () ntlworld com
Betreff: RE: Firewall configuration statistics


This still goes to show you did not get the point of the original question.
The numbers were for marketing. Most security marketing is targeted towards
upper management not low level IT guys. To get a initial meeting it is
important to get their attention somehow. Security sells better top down (at
least for us).

We did manage to gather statistics all you guys keep saying does not exist.
Have a look at idc reports and Gartner group. A good example is one that
states that "90% of all companies hacked last year had a firewall."


-SKP

-----Original Message-----
From: Meidinger Christopher [mailto:christopher.meidinger () badenIT de] 
Sent: Wednesday, June 25, 2003 4:46 AM
To: 'security () rexwire com'; 'Brian Eckman'; 'Des Ward'
Subject: AW: Firewall configuration statistics


As a security professional and someone that has to do with sales, i wanted
to add a quick thought, but don't want to engage in thread necromancy.

So anyway, i wanted to agree with you Brian -- i do not believe that the
number could possibly be less than 90-95% as far as patched vulnerabilities.

Des, i agree with you also. There are no numbers across the board. The needs
of a regularly audited DoD contractor are vastly different than the security
needs of a small business looking to install their first mail server and
realizing that they will need a firewall in front of it. There are no
numbers that you can apply to everything, good salesmanship and
understanding of the industry are paramount. 

Any IT guy worth his salt will likely skip over the numbers and statistics
anyway, and his manager will usually ask him what he thinks. Going over the
IT boss' head to get a contract can only result in 1) he making sure you get
no more contracts or 2) him getting fired, with 1 being the more likely.

As this justin person blew his top, i agreed with him, but did not defend
him because i thought his tone went way overboard. SKP - i think you are a
bit wrong that security contracts are won with statistics. I would say they
are won by: 1) References from existing customers [this is the big one
folks, there is nothing more important than two executives talking over a
power lunch about the security consultants that discovered that their entire
customer database was world readable] 2) Increased awareness on the part of
the client [be it advertising, a compromise of oneself of a colleague,
whatever, the customer is on the market for security help] and 3) Extending
existing contracts from LAN/WAN whatever to include security. 

Statistics count toward the increased awareness factor, but i never heard
that anyone walked in and talked about vulnerability statistics and walked
out with a contract.

Oh well, this is a bit incoherant, but it's early in the morning here in
germany and i really should be working, so i hope youll understand.

badenIT GmbH
System Support
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Ursprüngliche Nachricht-----
Von: security () rexwire com [mailto:security () rexwire com]
Gesendet: Monday, June 23, 2003 8:00 PM
An: des.ward () ntlworld com; security () rexwire com;
justinpryzby () users sourceforge net; security-basics () securityfocus com
Betreff: RE: Firewall configuration statistics


I think its time to put this thread to rest. Since I started it I think I
will be the appropriate person to do so. 

In summary I don't think my original point got across to most people. In
part it must have something to do with the way I wrote the question and in
part lack of sales or business experience of people reading this thread.

My question was clearly a marketing question regarding industry statistics.
IT is quiet stupid for people to say that statistics don't matter. Almost
all security projects are sold because someone read a statistic or does not
want to become one. 

As to the leaving number to sales and security to security professionals.
This way of thinking is guaranteed to shutdown the company that the
consultants work for. Everybody is in sales regardless of their title or
position. If you are not selling you are useless to your organization
regardless of how much skills you may possess. 


This is my $.05 $.25 and $1.00 worth


-SKP

-----Original Message-----
From: Des Ward [mailto:des.ward () ntlworld com] 
Sent: Monday, June 23, 2003 1:44 PM
To: security () rexwire com; justinpryzby () users sourceforge net;
security-basics () securityfocus com
Subject: RE: Firewall configuration statistics


Right, let's try and put this one to bed.

Unless you are using stats that are relevant to the industry, size and
external-facing internet presence of the intended audience; the stats used
are of no real intrinsic value.  Industry numbers have no real intrinsic
value because of this.  That is both fact and experience talking.

The IT industry is full of people who will be conned and those who will con.
I am not saying that anyone in this list is doing this, again this is merely
fact and experience.

All others in the group have been guilty of is putting this point across in
a different way.

In summary, let the security professionals deal with security and the
salesmen deal with numbers.  That way everyone is happy.

Just my £0.05 worth.

Here's to staring another thread having finally put this one to bed :o)

Des
-----Original Message-----
From: security () rexwire com [mailto:security () rexwire com] 
Sent: 20 June 2003 22:04
To: justinpryzby () users sourceforge net; security-basics () securityfocus com
Subject: RE: Firewall configuration statistics

Justin's reply must be the malicious reply I have ever read in this group
and I hope the moderator takes notice. I was intending to get industry
statistics for my marketing material and not a arbitrary number to feed to
people. It comes back to my point in my last pointing. People should keep
their philosophical points to themselves; no one wants them or cares for
them they provide nothing to the users of this group. Please stick to
experience and industry numbers they go a long way to help people.
Wishing ill onto others as Justin did does not help anyone nor I guarantee
it will do a lot for Justin's career.

Some of the statistics I have come across are stated below;

90% of all companies that got compromised lat year had a firewall

70% of all attacks happen at the application level

25% of exploits had patch readily available


-SKP



-----Original Message-----
From: Justin Pryzby [mailto:justinpryzby () users sourceforge net] 
Sent: Friday, June 20, 2003 10:34 AM
To: security () rexwire com; security-basics () securityfocus com
Subject: Re: Firewall configuration statistics


Well, seeing as I just received duplicates of last months mail, I guess
I may as well respond.

My intent in giving SKP two opposite and conflicting statistics is to
reveal the meaningless nature of the question.  Whether marketing
material says 2% of firewalls are misconfigured or 98% are doesn't
matter.

It is a matter of opinion, and I have given SKP my own meaningless
authority to state whatever he wants.  I hope I have also given him the
motivation to realize that what he wants is an arbitrary number to feed
to people; I want him to get neither satisfaction nor sales from
publishing whatever number he decides to use.

Justin

On Fri, Jun 20, 2003 at 04:48:02PM +0000, security () rexwire com wrote:

Thank you Greg. I totally agree. If people would just answer questions
based
on real life experience and knowledge and leave the philosophy to the
politicians I think everyone in this group will be happy.


-SKP

-----Original Message-----
From: NC Agent [mailto:NC_Agent () kueppers-familie de]
Sent: Friday, June 20, 2003 12:01 PM
To: security () rexwire com; justinpryzby () users sourceforge net
Cc: security-basics () securityfocus com
Subject: RE: Firewall configuration statistics


What you received is the reason why I will not post a serious question
to the list. The list has fallen into one of opinion not fact. So folks,
as SKP gets more and more frustrated, and stops using the list for
serious business, maybe it has become time for us to get back to
business. Just my .005 worth.

Greg Kane
SAIC
Senior Systems Security Engineer
CTSF-IA
Fort Hood, TX

-----Original Message-----
From: security () rexwire com [mailto:security () rexwire com]
Sent: Saturday, June 07, 2003 6:16 PM
To: justinpryzby () users sourceforge net
Cc: security-basics () securityfocus com
Subject: RE: Firewall configuration statistics

That makes absolutely no sense. Plus I am not looking for a
philosophical
answer. I was looking statistics for marketing. Does anyone know of a
good
reference site for firewall and other security statistics.

SKP

-----Original Message-----
From: Justin Pryzby [mailto:justinpryzby () users sourceforge net]
Sent: Friday, June 06, 2003 6:18 PM
To: security () rexwire com
Cc: security-basics () securityfocus com
Subject: Re: Firewall configuration statistics


Security,

100% of firewalls are misconfigured. I guarantee that no firewall
administrator has considered all of the posibilities that are out there.
Moreover, there are guaranteed bugs in the firewalling software itself.

No firewalls are misconfigured. Computers do what they are told, and
the occasion cosmic ray bitflip is insignificant compared to human
error. FW admins who use broken software or write bad FW policies
deserve to suffer the consequences.

Take your pick. As a user, I think all firewalls suck because at best
they are another layer for things to get f()'d up, and at worst they
prevent me from doing stuff. As an admin, I know of no more problems in
my current firewall configuration (-j DENY), but let me check.

Unless you elaborate on whichever number you quote, it is meaningless.
Anyone who has ever deal with a firewall will know that. You will,
however, impress 99% of everone with a cool word like ''firewall''.

Justin


On Sat, Jun 07, 2003 at 12:42:26AM +0000, security () rexwire com wrote:

I remember once reading that X amount of firewall's are misconfigured.
Does
anyone know where I can get this statistic from? We are making some
new
marketing material and I would like to include this stat in it. A
quotable
source would be great.

Thanks

SKP


------------------------------------------------------------------------
---

------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • WG: Firewall configuration statistics Meidinger Christopher (Jun 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault