Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Devdas Bhagat (
Date: 05/06/04

  • Next message: David Lang: "RE: [fw-wiz] NAT Pseudo Security"
    Date: Fri, 7 May 2004 00:24:49 +0530

    On 06/05/04 10:34 -0400, Paul D. Robertson wrote:
    > On Wed, 5 May 2004, Carson Gaspar wrote:
    > > I agree. My response was to you're "what excuse do they have" question. In
    > > my specific industry, they have a bunch. Most other industries don't make
    > > every single dollar based on timely, accurate, electronic information. When
    > > your entire business is manipulating flows of information, based on other
    > > flows of information, limiting who can see what is a very tough job. Not
    > > impossible, but extremely difficult, and very expensive.
    > But by the same token, that makes a massive network/node failure all that
    > more expensive- at some stage, we have to start taking infrastructure
    > seriously, and I'd argue that it's businesses that rely on infrastructure
    > so heavily that need to be in front of it.
    How many businesses see good infrastructure as an asset, rather than a
    cost? I would say that most businesses that I have had to deal with have
    seen infrastructure as a cost to be minimised, rather than as a
    necessary asset with associated costs. And even for those who do think
    of it as infrastructure, the idea is to have one time capital
    expenditure and low operating expenses, as with all other types of
    captial investments.

    > I understand where you're coming from, I'd just like to see us all make
    > more coordinated and extensive efforts to revisit the "connectivity trumps
    > all" mantra.
    Let me ask a harder question: How do you get the horse to drink?
    Connectivity shows profits in the balance sheet. Security shows up as
    expenses. Lack of downtime does not show up.
    > Maybe I'm too optimistic, but I always used incidents like this last worm
    > to get policy changes, validate the usefulness of controls when we didn't
    > get hit, and generally give the senior execs ammo to crow about how well
    > done their practical support of security programs was.
    What is needed is a way to convert security benefits into balance sheet
    numbers. Once we work out a useful formula for that, then we can
    actually hope for some beneficial changes in the mindset of business

    Note that having one cheap administrator dedicated to cleaning up viruses
    often works out cheaper than having an antivirus everywhere and kept up
    to date. What Blaster really did was knock out the network, so that
    no one was able to work. That cost is visible. The cost of adequate
    security to prevent events like that happening again is known.

    What is the risk of another worm as bad as that hitting networks
    repeatedly a few times, until the cost of /not/ patching goes above the
    cost of maintaining proper security?

    Perhaps we really need a few lousily coded worms which take down the
    Internet. One hitting on ports 25, 80 and 443 would be really interesting
    and scary.

    Devdas Bhagat
    firewall-wizards mailing list

  • Next message: David Lang: "RE: [fw-wiz] NAT Pseudo Security"