Re: [fw-wiz] tunnel vs open a hole

From: Dana Nowell (
Date: 04/11/03

  • Next message: John Madden: "[fw-wiz] Kazaa and Pix 525 ver 6.2"
    From: Dana Nowell <>
    Date: Fri, 11 Apr 2003 10:51:51 -0400

    OK, several people have lamented on the state of coding, especially related
    to the security industry. Lots of good comments have passed over my T1 but
    I think a simple point has been missed. Where's the pain?

    MS seems to be the example of the week so I'll continue that but this
    applies to just about any vendor. A basic assumption in this email is:
    better code, better testing, implies larger cost.

    MS IIS has bugs, bugs are reported in the industry news, bugs get fixed.
    The issue is the pain of the fixes /break-ins vs. the
    retraining/retooling/"better tool" costs weighted by the chance of an
    incident, all tempered by the politics.

    Ahhh, what politics you say, politics in a technical environment, tsk, tsk
    (yeah, right). Assume I'm a Microsoft oriented admin and I do NOT want to
    learn Unix (or the other way around). First line of defense when
    questioned (IF questioned) by management, we stay on top of the patches and
    update regularly. Second line of defense, hey, the Unix side has bugs too,
    see this list from CERT. Third line of defense, Unix admins cost more and
    the boxes are harder to admin because MS has a better GUI. (Hey, no one
    said politics was a clean game.) So, one issue is political statements as
    technical gospel from the 'techies'. Hell the typical CEO understands the
    MBAs better than he/she understands the IT guys.

    Other issues include:
    How many CEOs have lost their job due to an Internet break-in?

    How many companies have gone out of business due to a bad security tool
    choice (or any other software bugs)?

    How well known is the reason for their demise in their community (not ours)?

    What number would the typical CEO choose if asked: "How many Internet break
    in attempts occur at your company every year?"

    How many techies have said, "we need X or the sky will fall" yet the sun
    came up in the morning?

    How many break-in stats are publically available and what is their
    confidence level?

    How many break-in COST stats are publically available and what is their
    confidence level?

    What is the perception of the failure? Credit cards where stolen from a CC
    processing company, is the perception the firewall failed, the web server
    failed, a human didn't patch, or the company had a screwed CC storage policy?

    So basically, WHERE IS THE PAIN? Better coded/tested toys cost more money
    to bring to market, probably implies more dollars at retail. On-going real
    daily security at the interface level costs dollars every year for
    training, bodies, and tools, where's the CEO level justification?

    Hey, we might get broken into, and the cost of clean-up that no one
    believes might be high. Of course, I can't tell you what the chance of a
    break-in is because I have no REAL data. Nor can I give you a good delta
    on the chance of approach 1, vs. approach 2 because I have no data. But I
    CAN tell you, or you can read in the news, that "Spiffy tool X" is the
    market leader.

    Sure I CAN say that IIS has had more bugs reported than "Competitor A". I
    probably can cost estimate the expense of a switch to the "Competitor A"
    product. I CAN'T say that by spending those X dollars I've decreased the
    chance of a break-in by 10% using any HARD data. Oh, and even if I could,
    I can't say what the original chance of a break-in at this company is
    BEFORE I reduced it by 10%. Did we go from 40% to 36% or from 1% to .9%.

    To the average CEO/COO/CTO the cost of security vs. the value is STILL
    black magic. Some of us have been around the block, some people work in
    the industry, we have a good feel for 'worth', but the average guy doesn't
    necessarily have either event in his favor.

    With a clue you can make an educated coin flip type choice when you first
    buy. Product A's rep sucks, Vendor B isn't thought well of in the
    industry, Vendor C is about to go under, Product Q has no milage yet and is
    an unknown.

    With connections or other info you can do even better. Hey, I've swapped
    email with the lead guy at Vendor X and I know he has a clue.

    But sometimes post commitment gets difficult to judge. I already own N
    copies of firewall software 'Q', I can replace them with appliance X at
    only N thousand dollars each, plus training. Is that REALLY a good deal?
    How much have I really reduced my risk? How much have I reduced/increased
    my operational costs? Is it worth it, especially if I've never been broken
    into before?

    Should I fix/change the firewall, the web server, the staff training
    policy, the data retention, where do I apply my $$$ to fix 'the problem',
    what does the industry data tell me? (i.e. is it software, humans, or
    process, will changing the software really be worth it?)

    So SHOW ME THE DATA, Hell find a way to SHOW EVERYONE THE DATA, make it
    clear data and MAYBE we can all be close to the same page on cost vs.
    security, vs. software quality. Some break-ins are attributed to a
    firewall failure, some to a web server bug, many to a failure to patch,
    many to configuration issues, some to busted process/stupid human tricks.
    Right now, given industry news coverage (the main data source for many
    executives), most execs would bet on human/process issues as the biggest
    threat, not software reliability. My guess is 'the pain' CEOs see is the
    human, NOT the software reliability. Companys spend money to fix problems,
    i.e., reduce pain. Better software is good at initial buy in, better
    software as a switch implies retraining the 'weak link' and accepting the
    pain curve again, justification is more difficult.

    Ah well, I was due for a rant, I apologize for my targeting skills :-).

    Oh and before the counter rants start. I'm not for or against MS products,
    I like stuff that works regardless of vendor, they were an example only.
    I'm a CTO, in theory that's the O with a technical clue. I DO understand
    that more reliable software or switches to more idiot proof user interfaces
    can help reduce breakins, I'm one of the ones that's been around the block.
     I'm not stating that switching is not a good thing, I'm saying that CEOs
    don't like to toss out investments and training and that some of the
    'better' is subjective and hard to quantify in real dollars while the
    current investment is easy to quantify. Fortunately my CEO thinks I have a
    clue and is usually willing to listen to reason :-). OK, fire away.

    Dana Nowell     Cornerstone Software Inc.
    Voice: 603-595-7480 Fax: 603-882-7313
    firewall-wizards mailing list

  • Next message: John Madden: "[fw-wiz] Kazaa and Pix 525 ver 6.2"

    Relevant Pages

    • sshd exploit & $1,000 whine
      ... between the security community and the underground community* ... You say it affects the "whole industry." ... vulnerability research and exploit coding. ... > * CUA find a problem in vendor ABC's product ...
    • RE: Concepts: Security and Obscurity
      ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
    • 0-day i hear $1000?
      ... industry. ... L33t Hacker writes to ABC ... Security firm 123 implement patches for brain dead clients. ... CUA codes the exploit ...
    • RE: Concepts: Security and Obscurity
      ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
    • RE: Impact of Global recession on Security !
      ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...