RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)

From: Bill McGee (bam) (bam_at_cisco.com)
Date: 06/03/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?" 
    To: "Marcus J. Ranum" <mjr@ranum.com>, "Mark Tinberg" <mtinberg@securepipe.com>
Date: Thu, 2 Jun 2005 17:11:21 -0700

    OK, I guess I need to clarify, although I'm pretty sure that we'll still
    have to disagree on a number of issues (although we're probably not as
    far apart as it may have seemed at first...)

    Marcus Ranum wrote:

    <snip>

    > Some possibilities:
    > - Some of the products we're buying simply don't work
    > - Some of the products we're buying aren't being used
    > properly
    > - There is no correlation between cost and effectiveness
    > of security products
    > - (some of the above)
    > - (all of the above)
    >
    > A few years ago I tried to point out that the same logic
    > applies to security education. We're spending more money
    > and time teaching people about computer security than
    > ever before. The situation is getting worse. Ergo; it's not
    > helping, let's stop wasting the money and search for an
    > alternative. As you can imagine (especially since I made
    > that observation during the keynote of a conference that
    > makes its $$ doing security education) that view was not
    > popular.

    And, of course, it's a bit silly. While I agree that a parallel course
    of action is to make the solutions idiot-proof, part of the problem is
    one of scale. The pool of folks who understand what's going on is being
    diluted by the growing influx of folks who haven't got a clue. So, while
    the number of competent practitioners out there is actually going UP
    (IMO), the general Security IQ has been going down (notice how the
    crowds at the security conferences seem to actually know LESS each
    year?) I would argue that we need to do MORE educating (including the
    establishment of an Advanced Degree in Network Security, but that's
    another discussion.)
    >
    > Anyhow, I've tried to keep this clear and unemotional,
    > and I hope that if you've stuck with me this far you'll
    > see where I'm coming from. I think that the security
    > practitioners who are preaching "real world" are
    > really advertising their willingness to compromise in
    > an area where the results of those compromises are all
    > blindingly clear.

    I don't think so. The problem, as I see it, is that the whole issue is
    moving so rapidly that the number of folks out there that can
    orchestrate their entire security strategy while the ground shifts under
    their feet is woefully small (see above.) Part of the problem lies with
    education, part with the vendors out there who preach that their new
    whatzit is the only thing needed to cure what ails you {snake-oil is a
    problem we've had to deal with for a long time now}, and part because we
    tend to speak in absolutes.

    By contrast, Risk Reduction is less a compromise than actually having a
    PLAN so you can approach new problems from a consistent point of view.
    This would include such things as (you know the drill...): Actually have
    a written security policy, ranking the relative value of assets, making
    hard decisions (i.e. deciding which assets cost more to protect than
    they're worth, which elements you can afford to fix now, and which will
    have to wait, etc.), conducting regular risk assessments (with an
    outside firm), testing gear for leaks before you install it, leveraging
    existing infrastructure (turn stuff off, lock stuff down, actually USE
    what you have), where possible installing Proactive rather than Reactive
    solutions, planning ahead for patching and updating, installing security
    EVERYWHERE (endpoints, servers, gateways, routers, switches, etc.), and
    getting your security and networking gear to talk to each other as much
    as possible. And tying everything into enabling the business goals of
    the organization.

    Of course, we all understand this. Unfortunately, when I talk this way
    to far too many CXOs in our Executive Briefing Center they look at me
    like I just discovered fire. The problem (to get back to the thread) is
    that too many executives out there have bought into the snake-oil and
    believe that because they bought some gizmo that they're fine. And then
    they blow a gasket when the $50,000 they spent on a box didn't stop the
    latest worm/virus/hacker from bringing them to their knees.
     
    > To me, the stellar example remains the whole firewall
    > "debate" of the early 1990's. Let's not beat around the
    > bush: convenience kicked security's ass in 1994 and
    > has been kicking it ever since. Yes, there are lots of
    > perfectly good-sounding "business justifications" for
    > doing it, but today's firewalls let too much stuff back
    > and forth. To me, the fact that organizations with
    > firewalls continue to get brutally hacked is empirical
    > proof of that view. I know a handful of organizations
    > that have very strict firewalls with draconian and
    > unpopular rulesets - and they simply don't get
    > hacked. To me, that's a good argument supporting
    > my view. I can't prove any of this, and there are no
    > studies I can think of that attempt to tie practices to
    > getting hacked, but I bet if there was, there'd be a lot
    > of red faces in the security community.

    Sure, but companies don't build networks so they have a place to install
    their security gear. CXOs HATE buying security. They see it as a cost
    center, like insurance. The concept of "draconian rules" makes their
    toes curl up in their wingtips. To get their buy-in, the conversation
    needs to be in language they understand. If you start ranting about all
    of the possible bad things that are going to happen if they don't get a
    clue, their eyes glaze over. You have to speak about minimum or zero
    downtime, maximum productivity, enabling critical business processes.
    Tie it to their five-year plans and their MBOs. Otherwise, they'll smile
    politely, have security escort you from the building, and then ignore
    you.

    > Basically, what's going on is that a lot of security
    > practitioners are in the position of being asked to make
    > something safe that is fundamentally dangerous. So
    > we hide behind the notion of "risk management" -
    > basically the illusion that "if we try hard to cover our
    > butts it's less dangerous than otherwise." What that
    > has accomplished is to create an environment in
    > which security has NO CHOICE but to compromise
    > because senior execs know that if they don't get
    > the answer they want out of one security practitioner,
    > they can keep asking until they get the answer
    > they want out of another that has been better
    > trained in the art of "security by bending over and
    > gripping your ankles tightly" (the "tight" part of
    > the ankle-gripping is known as "risk management.")

    If executives see security as a business enabler, however, i.e.
    something that moves them towards a happy quarterly meeting with their
    Board of Directors, they'll spend the money. You will NOT, in my
    experience, make any headway speaking to them in absolutes. Their entire
    business is risk management (what's the pay-off vs. risk if I invest
    here rather than there?) so why should security be any different?

    And, of course, the reality is that there is really no such thing as
    absolute security, is there? (other than disassembling everything,
    sealing it in a concrete and glass matrix, and dumping it into the
    Mariana Trench [and even then...]) So, even draconian rules are a form
    of risk management ("I believe that if I implement this set of rules
    that I am the least likely to get into trouble.") One of the oldest
    truisms in our industry is that 'declaring a system "secure" is the
    surest way to have to eat those words by and by'. So maybe, risk
    management is just a bit more honest...?
     
    > My feeling is that during the 90's we, as an industry,
    > dug ourselves into a hole we're not going to be able
    > to spend or risk manage our way out of. We did that
    > by trying to deal with the "real world" instead of
    > demanding excellence, good design, and wise
    > leadership.

    We are in total agreement here.
     
    > I am totally sympathetic to the plight of the security
    > practitioner who isn't willing to put his job on the line
    > by telling the CTO he's a moron. I completely understand
    > why people feel they need to compromise. But I still
    > think compromise is for sissies.

    Unfortunately, there are far too few people who can think like you and
    get away with it. (I mean that as a compliment.)

    -bill
    >
    > mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"