Firewall Wizards: RE: The Morris worm to Nimda, how little we've learned or gained

["robert_david_graham" <robert_david_graham () yahoo com>]

Um. Here is some standard free-market economics rhetoric. Marcus will
probably kill this because most of you are NOT free-market libertarians (and
the thread is already getting long), but here goes...

Marcus wrote:
> The sad reality is that safety technology only gets applied once it's
> obvious that the damage from not applying it is extremely expensive
> to the entire community. Remember - we didn't have mandatory seatbelts
> in cars until the 1960's and didn't have mandatory shoulder straps until
> the 1970's. Air bags didn't come until the 1980's and mandatory _use_
> laws are only recently on the books in most states. Internationally,
> the situation is worse. And people have known for a long time that
> seat belts save lives...
Statistics show that seat belts don't result in lives being saved. Neither
do ABS brakes or airbags.

Notice my odd phrasing. In a crash, seatbelts/ABS/airbags will certainly
help save lives and reduce injuries. However, subconsciously knowing they
are safer causes drivers to behave more aggressively, so they get into more
crashes. Point studies into ABS breaks and seatbelts confirm this, and
industry wide studies of per capita traffic fatalities shows little change
over the last 30 years, despite technology, regulation, and adoption of
these things (U.S. statistics). Technology doesn't change in a vacuum --
people's behavior changes to compensate. [Offside: if anybody has statistics
that disagree with mine showing declining traffic fatality rates, I would
love to see them -- it would blow my argument out of the water].

The reason is simple: When it rains and gets dark, people slow down. They
are compensating for the increased risk by driving more carefully.
Logically, this would imply that when the rain dries and the sun comes out,
they start driving more aggressively -- to compensate for the decreased
risk. A well-known economist put it another way: remove
seatbelts/ABS/airbags and replace with a large metal spike pointed at the
driver's chest, and fatality rates are STILL going to be unchanged.
Mathematically, drivers calculate that acceptable risk is 0.00001% chance of
getting into an accident -- then driver slower/faster to compensate for
other factors until that risk is back in balance.

Internet security is the same way, and is the reason these problems aren't
being solved. Every advance (technology, security educated labor force,
etc.) is met by increased risk taking. About half of the firewalls
installations I see are of the "drive risky when sun comes out" variety. For
example, a company has a backend sales database that is not accessible via
the Internet, because it is too risky. A vendor comes in with a
firewall/VPN/dual-factor solution, which the vendor uses to put the database
on the Internet for their roving sales people. I ask you: was the customer
more/less secure before they bought the security products? Less, of course,
because now the database is hooked to the Internet. The roving sales
person's computer based training program, which silently installs IIS, gets
infected, then CodeRed jumps across the VPN tunnel and infects the backend
database.

The key phrase is: RISK TOLERANCE IS A CONSTANT. This means the level of
hacking, worms, viruses, and so forth are a constant. Firewall's don't
change risk tolerance. Anti-virus programs don't change risk tolerance.
Hiring a security guru won't change your risk tolerance. From Morris to
Nimbda, the reason nothing has changed is that corporations have the same
risk tolerance today that they had 13 years ago.

There is another statistic buried in traffic fatality rates. Traffic deaths
PER DRIVEN MILE have indeed gone down dramatically. The reason is the spread
of freeways/expressways over the last 50 years. People compensate by driving
further, of course, which is why it hasn't impacted overall fatalities PER
CAPITA. I point this out because you might interpret my comments above as
implying that firewalls/VPNs/auth products are worthless: no, they benefit
customers not because they improve security, but because they get to drive
longer distances on the infobahn. Presumably, the corporation that put the
sales database online is better off -- despite the risk -- than when data
was locked in a room somewhere.

Applying this Internet wide, the costs of CodeRed and Nimda were certainly
considerable, but the BENEFITS of the open, risky architecture far outweighs
those costs. Our society is hugely better off because of the Internet
technology -- including the increased risks to hacking. As security
professionals, we are paid to be pessimists and believe the glass is
half-empty. However, economic measurements of GNP growth due to Internet
technologies (including costs as well as benefits) indicate a very positive
result (that the glass is half-full). Thus, while most of the industry
laments at the poor security we have, I think the situation is great:
benefits are outweighing the costs. Hacking is an annoyance, but not a
"problem".

Anyway, this is the standard argument from the free-market economists point
of view. I understand that it is NOT the view of most security
professionals.

Robert Graham


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards