|
Firewall Wizards
mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: Chris Blask <chris () blask org>
Date: Tue, 31 May 2005 19:46:58 -0400
Hey Fritz!
At 08:23 AM 5/31/2005, Fritz Ames wrote:
Ben,
Along with the part that stays the same is the part about getting
a business to change its approach to security, or, "How does the security
zealot at the company sell their position?" Sure it sells faster
(somewhat, and for a little while) when there is a traumatic event, but
then the large-scale traumatic events, as you pointed out, have been mere
nuisances to-date. How does our hero pitch the solution to preventing
anihilation by the
"Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge
on-the-way-out" trojan?
Well, it isn't easy.
People don't worry about theoretical threats very much, and usually they
are proven right. Even if someone else does lose an arm eventually, they
all pause, someone develop the Arm-Shield [tm], they are installed on all
new Things and people go back to doing the same stuff with new gear.
We got a problem because:
o we haven't designed all the gear we need, yet
o most of what we have isn't finished
o the people using our toy have gotten way ahead of us
o they only vaguely know how to use what we've given them
o and they don't know which bits of flooring are just old particle board
someone threw down on their way to fixing a roller coaster.
But we built the thing for them ("they" include your parents and children,
so don't deny it), therefore we can't get too annoyed with them. We just
hafta keep building as it's being used and trying to get the causualty rate
down from the "Drunk Freehand Rock Climbing" level to somewhere around
bungee jumping...
It's the same old problem. "Here's your new fire extinguisher
budget..." I get the sense that *really* going after the education of
the users is the opportunity to make the biggest difference. (The
biggest difference? Really?)
Yes.
Savvy users will be less likely to click on that link to Hades. Savvy
users who run companies will have better ideas of how to evaluate their
risks and their mitigations--and spend their dollars more
carefully. Savvy users who run companies and who read "MJR/Fred/Paul"
will buy less marketing hype, less BS process and documentation
masquerading as security, and more secure systems. Savvy network admins
will... Savvy DB folks will... Savvy Web site folks will... Savvy
developers will... All those folks out there who are busy doing their
jobs, getting things done, building real stuff, and who haven't had time
or inclination to really get security will catch on and...
Sounds corny, eh? :-)
Still true.
OK, so this has been tried before. ...or has it?
Not really (the Queen of Ants would say "never in the history of time").
.d.
There's got to be some kind of candy to lure people in to like learning it.
There's lots of candy, it's just a big job. Security is sexy and exciting
- we're lucky in a way because *everyone* has had a conversation about
hackers (or seen a bad movie), and has a base set of memes. Those memes
are as well developed as "green men live on Mars", but at least they know
that Mars is a planet and have some concept of what that means, so giving
them a working understanding of the universe isn't impossible.
[I've been doing this with a series of nieces and nephews for a decade or
so now with general success, despite the dreck of superstition, heresay and
base falsehoods they otherwise vaguely acquire. "Universe go boom, no-one
discernible says 'let there be Helium!', dust clumps up, 1st gen
stars=Heavy Metals, 2nd gen stars=Michelangelo. Welcome to Entropy, enjoy
your stay." :-]
So increasing security awareness isn't directly relevant to
firewall technology ...in the hardware sense. But if not us, who? If
not now, when? Ah! To heck with it. I can't make it work if better
minds than mine haven't succeeded in this area. Please pass the fire
extinguisher...
There aren't better minds than yours, and if there are, half an effort by
ten people carrying Clue badges is likely to have more effect than heroic
efforts by an Einstein.
It's just a long bloody walk carrying a really heavy pack with pointy bits
in the wrong places while occasionally getting yelled at for it by people
who don't know where you are going, what you are carrying or why, but who
benefit from your efforts. If you notice, people say thanks and bring you
a beer sometimes as well - and you like the work or you wouldn't be dong
it, so it's not all that bad a lifestyle.
Go sailing for a year if you have to, but don't give up the fight. As far
as work goes, infosec beats coding business apps (or carrying heavy packs)
by a mile.
-cheers!
-chris
Chris Blask
chris () blask org
http://blaskworks.blogspot.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
Re: Ok, so now we have a firewall, we're safe, right? Carson Gaspar (May 31)
Re: Ok, so now we have a firewall, we're safe, right? Vinicius Moreira Mello (May 31)
|
Intro
