RE: Going meta (was RE: Ok, so now we have a firewall...)

["Bill McGee (bam)" <bam () cisco com>]

OK, I guess I need to clarify, although I'm pretty sure that we'll still
have to disagree on a number of issues (although we're probably not as
far apart as it may have seemed at first...)

Marcus Ranum wrote:

<snip>

> Some possibilities:
> - Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
>         properly
> - There is no correlation between cost and effectiveness
>         of security products
> - (some of the above)
> - (all of the above)
>
> A few years ago I tried to point out that the same logic
> applies to security education. We're spending more money
> and time teaching people about computer security than
> ever before. The situation is getting worse. Ergo; it's not
> helping, let's stop wasting the money and search for an
> alternative. As you can imagine (especially since I made
> that observation during the keynote of a conference that
> makes its $$ doing security education) that view was not
> popular.

And, of course, it's a bit silly. While I agree that a parallel course
of action is to make the solutions idiot-proof, part of the problem is
one of scale. The pool of folks who understand what's going on is being
diluted by the growing influx of folks who haven't got a clue. So, while
the number of competent practitioners out there is actually going UP
(IMO), the general Security IQ has been going down (notice how the
crowds at the security conferences seem to actually know LESS each
year?) I would argue that we need to do MORE educating (including the
establishment of an Advanced Degree in Network Security, but that's
another discussion.)
> Anyhow, I've tried to keep this clear and unemotional,
> and I hope that if you've stuck with me this far you'll
> see where I'm coming from. I think that the security
> practitioners who are preaching "real world" are
> really advertising their willingness to compromise in
> an area where the results of those compromises are all
> blindingly clear.

I don't think so. The problem, as I see it, is that the whole issue is
moving so rapidly that the number of folks out there that can
orchestrate their entire security strategy while the ground shifts under
their feet is woefully small (see above.) Part of the problem lies with
education, part with the vendors out there who preach that their new
whatzit is the only thing needed to cure what ails you {snake-oil is a
problem we've had to deal with for a long time now}, and part because we
tend to speak in absolutes.

By contrast, Risk Reduction is less a compromise than actually having a
PLAN so you can approach new problems from a consistent point of view.
This would include such things as (you know the drill...): Actually have
a written security policy, ranking the relative value of assets, making
hard decisions (i.e. deciding which assets cost more to protect than
they're worth, which elements you can afford to fix now, and which will
have to wait, etc.), conducting regular risk assessments (with an
outside firm), testing gear for leaks before you install it, leveraging
existing infrastructure (turn stuff off, lock stuff down, actually USE
what you have), where possible installing Proactive rather than Reactive
solutions, planning ahead for patching and updating, installing security
EVERYWHERE (endpoints, servers, gateways, routers, switches, etc.), and
getting your security and networking gear to talk to each other as much
as possible. And tying everything into enabling the business goals of
the organization.

Of course, we all understand this. Unfortunately, when I talk this way
to far too many CXOs in our Executive Briefing Center they look at me
like I just discovered fire. The problem (to get back to the thread) is
that too many executives out there have bought into the snake-oil and
believe that because they bought some gizmo that they're fine. And then
they blow a gasket when the $50,000 they spent on a box didn't stop the
latest worm/virus/hacker from bringing them to their knees.
 
> To me, the stellar example remains the whole firewall
> "debate" of the early 1990's. Let's not beat around the
> bush: convenience kicked security's ass in 1994 and
> has been kicking it ever since. Yes, there are lots of
> perfectly good-sounding "business justifications" for
> doing it, but today's firewalls let too much stuff back
> and forth. To me, the fact that organizations with
> firewalls continue to get brutally hacked is empirical
> proof of that view. I know a handful of organizations
> that have very strict firewalls with draconian and
> unpopular rulesets - and they simply don't get
> hacked. To me, that's a good argument supporting
> my view. I can't prove any of this, and there are no
> studies I can think of that attempt to tie practices to
> getting hacked, but I bet if there was, there'd be a lot
> of red faces in the security community.

Sure, but companies don't build networks so they have a place to install
their security gear. CXOs HATE buying security. They see it as a cost
center, like insurance. The concept of "draconian rules" makes their
toes curl up in their wingtips. To get their buy-in, the conversation
needs to be in language they understand. If you start ranting about all
of the possible bad things that are going to happen if they don't get a
clue, their eyes glaze over. You have to speak about minimum or zero
downtime, maximum productivity, enabling critical business processes.
Tie it to their five-year plans and their MBOs. Otherwise, they'll smile
politely, have security escort you from the building, and then ignore
you.

> Basically, what's going on is that a lot of security
> practitioners are in the position of being asked to make
> something safe that is fundamentally dangerous. So
> we hide behind the notion of "risk management" -
> basically the illusion that "if we try hard to cover our
> butts it's less dangerous than otherwise." What that
> has accomplished is to create an environment in
> which security has NO CHOICE but to compromise
> because senior execs know that if they don't get
> the answer they want out of one security practitioner,
> they can keep asking until they get the answer
> they want out of another that has been better
> trained in the art of "security by bending over and
> gripping your ankles tightly" (the "tight" part of
> the ankle-gripping is known as "risk management.")

If executives see security as a business enabler, however, i.e.
something that moves them towards a happy quarterly meeting with their
Board of Directors, they'll spend the money. You will NOT, in my
experience, make any headway speaking to them in absolutes. Their entire
business is risk management (what's the pay-off vs. risk if I invest
here rather than there?) so why should security be any different? 

And, of course, the reality is that there is really no such thing as
absolute security, is there? (other than disassembling everything,
sealing it in a concrete and glass matrix, and dumping it into the
Mariana Trench [and even then...]) So, even draconian rules are a form
of risk management ("I believe that if I implement this set of rules
that I am the least likely to get into trouble.") One of the oldest
truisms in our industry is that 'declaring a system "secure" is the
surest way to have to eat those words by and by'. So maybe, risk
management is just a bit more honest...?
 
> My feeling is that during the 90's we, as an industry,
> dug ourselves into a hole we're not going to be able
> to spend or risk manage our way out of. We did that
> by trying to deal with the "real world" instead of
> demanding excellence, good design, and wise
> leadership.

We are in total agreement here.
 
> I am totally sympathetic to the plight of the security
> practitioner who isn't willing to put his job on the line
> by telling the CTO he's a moron. I completely understand
> why people feel they need to compromise. But I still
> think compromise is for sissies.

Unfortunately, there are far too few people who can think like you and
get away with it. (I mean that as a compliment.)

-bill
> mjr.