Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/06/04

  • Next message: David Lang: "RE: [fw-wiz] NAT Pseudo Security"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 7 May 2004 00:24:49 +0530
    
    

    On 06/05/04 10:34 -0400, Paul D. Robertson wrote:
    > On Wed, 5 May 2004, Carson Gaspar wrote:
    >
    > > I agree. My response was to you're "what excuse do they have" question. In
    > > my specific industry, they have a bunch. Most other industries don't make
    > > every single dollar based on timely, accurate, electronic information. When
    > > your entire business is manipulating flows of information, based on other
    > > flows of information, limiting who can see what is a very tough job. Not
    > > impossible, but extremely difficult, and very expensive.
    >
    > But by the same token, that makes a massive network/node failure all that
    > more expensive- at some stage, we have to start taking infrastructure
    > seriously, and I'd argue that it's businesses that rely on infrastructure
    > so heavily that need to be in front of it.
    How many businesses see good infrastructure as an asset, rather than a
    cost? I would say that most businesses that I have had to deal with have
    seen infrastructure as a cost to be minimised, rather than as a
    necessary asset with associated costs. And even for those who do think
    of it as infrastructure, the idea is to have one time capital
    expenditure and low operating expenses, as with all other types of
    captial investments.

    >
    > I understand where you're coming from, I'd just like to see us all make
    > more coordinated and extensive efforts to revisit the "connectivity trumps
    > all" mantra.
    Let me ask a harder question: How do you get the horse to drink?
    Connectivity shows profits in the balance sheet. Security shows up as
    expenses. Lack of downtime does not show up.
     
    > Maybe I'm too optimistic, but I always used incidents like this last worm
    > to get policy changes, validate the usefulness of controls when we didn't
    > get hit, and generally give the senior execs ammo to crow about how well
    > done their practical support of security programs was.
    What is needed is a way to convert security benefits into balance sheet
    numbers. Once we work out a useful formula for that, then we can
    actually hope for some beneficial changes in the mindset of business
    management.

    Note that having one cheap administrator dedicated to cleaning up viruses
    often works out cheaper than having an antivirus everywhere and kept up
    to date. What Blaster really did was knock out the network, so that
    no one was able to work. That cost is visible. The cost of adequate
    security to prevent events like that happening again is known.

    What is the risk of another worm as bad as that hitting networks
    repeatedly a few times, until the cost of /not/ patching goes above the
    cost of maintaining proper security?

    Perhaps we really need a few lousily coded worms which take down the
    Internet. One hitting on ports 25, 80 and 443 would be really interesting
    and scary.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David Lang: "RE: [fw-wiz] NAT Pseudo Security"

    Relevant Pages

    • Re: [fw-wiz] Worms, Air Gaps and Responsibility
      ... >> rely on infrastructure so heavily that need to be in front of it. ... > How many businesses see good infrastructure as an asset, ... Seems to me that this is where a functional risk management process ... Security shows up as ...
      (Firewall-Wizards)
    • RE: Concepts: Security and Obscurity
      ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
      (Security-Basics)
    • RE: Concepts: Security and Obscurity
      ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
      (Security-Basics)
    • RE: Impact of Global recession on Security !
      ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...
      (Security-Basics)
    • RE: Concepts: Security and Obscurity
      ... I have at no point claimed absolute security measures or cost ... nothing to do with security is pure head in the sand ignorance. ... It also ignores the requirements of a control function. ... of transformation pressure " Cambridge Journal of Economics, ...
      (Security-Basics)