Re: IT security people sleep well

["Stephen Sprunk" <stephen () sprunk org>]

Thus spake "Sean Donelan" <sean () donelan com>
> Two issues tied as being of prime concern to those network administrators
> surveyed: 32% responded that they worry most about "the next virus/worm"
> and an equal percentage answered they worry most about "a security breach
> to the enterprise's network."  The big surprise was that 34% of survey
> respondents said they had "no worries and sleep like a baby."

When I read that, I immediately thought of a quote by Colin Powell:

"I sleep like a baby, too.  Every two hours I wake up screaming!"

Too many people in this industry either ignore security completely or think
that it's the sole province of the "security department".  Some vendors have
gotten their act together, even Microsoft, but they haven't made a dent in
the mindset of their customers.  Even among NANOGers, it's pretty obvious
most networks don't even do the most rudimentary of source filtering, so how
can we expect more advanced technologies to be adopted?

On the SSH/SSL front: IMHO these technologies give a false sense of
security.  Sniffing cleartext management sessions is a concern, yes, but
actual incidents where it occurs, especially within your own network
infrastructure, are vanishingly rare compared to the commonplace compromise
of individual hosts.  Creating a secure link between hosts is wasted effort
at best if you can't trust the host at the other end of that link.

S

Stephen Sprunk        "Stupid people surround themselves with smart
CCIE #3723           people.  Smart people surround themselves with
K5SSS         smart people who disagree with them."  --Aaron Sorkin