mailing list archives
Re: Web sites compromised by IIS attack
From: Valdis.Kletnieks () vt edu
Date: Wed, 07 Jul 2004 22:06:07 -0400
On Tue, 06 Jul 2004 10:10:30 CDT, Willem Koenings <isec () europe com> said:
(Jason Coombs said:)
Anyone with a truly complex security problem knows that it is hopeless
to ever really control many computers in the presence of many people.
You have no choice in a complex situation but to let things happen that
you think are beneficial to you (the vendor installing patches, in this
discussion) and find a way, after the fact, or periodically, to confirm
that the end result was in fact beneficial to you.
Jason, i have to disagree with you. Security is not a technology,
security is a way of thinking (regards goes here to Schneier). And
when you start thinking in right way, then there is no difference
whatsoever whether the subject is home computer or large production
And i have seen, in reality, uncounted time, in respected companies,
that after vendor specialist comes and installs updates/patches, system is
screwed. Yes, you have contracts, but company's image and face in
front of customers is everything. So at least here, in security list,
it is wrong to propagate the way that just sit and wait and let the
vendor came and fix all.
The point that Jason is making, and that you're apparently missing, is
that if you're a security geek in the trenches, you may *not* *have* a
choice. He's not "propogating" - he's pointing out how things end up
really working in large organizations. And failure to understand the
*NON*-technical aspects of deploying anything is a guarantee of failure.
It's the rare geek in the trenches at a large site that can play
"wag the dog" and make security-related policy decisions. You need
buy-in all the way up the org chart to the CIO, *and* the CIO needs
to have the political clout to back you up if a change (even if it
*IS* the Good and Right Thing To Do) pisses off the wrong Neanderthal
manager over in Finance.
For instance, I'm convinced a mass move to Mozilla would help our
site's overall security. My manager would go along with me. But if
I was to deploy Mozilla across the board, my posterior would end up
with many sets of teeth marks on it, for things like:
1) Who ends up dealing with retraining costs? (And remember - just
because YOU don't need retraining doesn't mean that the fiscal
technicial (i.e. file clerk) over in Human Resources who gets
upset when everything isn't EXACTLY THE SAME doesn't need retraining.
Somebody will have to go over and explain "Yes, the URL box isn't
EXACTLY the same, but that's still where you're going to be entering
your URLS"... It may come as a surprise that some users can't even
cope with the difference between Microsoft Office and OpenOffice... ;)
2) Who gets to go through the Help Desk's online Knowledge Base and
see which articles are obsolete, and which need to be rewritten for
Mozilla, and which apply either way?
3) Who's budget is going to pay for technician time for cleaning up
when some very important user's bookmarks don't transfer 100% cleanly?
And who gets to pay when it's somebody *not* important (even more
of a concern for your survival in a large organization - if you shaft
the departmental tech over in Billing, they will remember the 35 desktops
they had to fix for you the next time you need a favor...)
4) Who gets to cover the budget for fixing all of the internal websites
that have IE-specific cruft on them (or build and distribute a locally
pre-packaged Mozilla that has PrefBar or other widget that allows
spoofing the User-Agent: header - but see points 1 and 2 about
training and documentation and support)? (Remember in your answer
to allow for departmental and group servers that aren't under central
4a) Anybody in a large organization who thinks that IT controls every
single device on the network is severely deluded. No matter *how*
fascist the site is about locking down MAC addresses on switches, and
forcing all changes via group policy, and preventing users from having
administrator rights on their own machines, there *will* be rogue
machines on the wire (What? 30,000 users and you actually think
you have *NO* users clued enough and independent enough to figure out
how to do an 'ifconfig eth0 hw ether 00:00:de:ad:be:ef' or whatever the
equivalent is for whatever they've installed? ;)
To be fair, this sort of thing becomes an issue for *any* major change.
For instance, the uptake of XP in corporate environments is a lot lower
than Microsoft would like, mostly because all the cost-of-deployment
issues often outweigh the ROI benefits of moving from W2K to XP. It's
REALLY hard to get buy-in for a upgrade that will save $2M if the known
costs are over $1M and you know the budget will end up growing...
And it's an even harder sell for a security move, where you can't easily
I'm not "propogating" here either. It's a situation I wish were different.
But I have to account for the political realities, and work towards the goals
I would like to see deployed organization-wide, and recognize that I'm not
going to get everything I want, nor am I going to get it anytime soon.
I haven't gotten Mozilla on every desktop - but some people are starting
to install it on their own, and the Help Desk and most of the web designers
can at least spell Mozilla.
Progress is made on alternate Thursdays...