Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
From: R. DuFresne (dufresne_at_sysinfo.com)
To: Chris Blask <firstname.lastname@example.org> Date: Wed, 8 Jun 2005 19:54:13 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Let's see the CIO for my present employer won, I believe the ISE award
last fall, and her competition consisted of the CISO for the now infamous
choicepoint amongst others. I'd say much more, but well, let it rest
with my <cough> congrats on this 'award'...
Point being, we tend to award those that demonstrate minor accomplishments
in this industry, at this time, overlooking that high profile systems and
project these folks manage are fraught with exposures, compromises, and
latent lack of accountability, so the processes to clean up are down the
road of enlightenment.
And, yes, I'm trying to be as obtuse as possible here to avoid being made
a scapegoat once again...
On Thu, 2 Jun 2005, Chris Blask wrote:
> Hey, Scott!
> At 04:28 PM 6/2/2005, Scott Stursa wrote:
>> So I held my ground and we did it my way. The result - no compromised
>> hosts since then (beginning of March).
>> But I've paid for that. Two months ago he did a performance appraisal on
>> me, giving me the first "unsatisfactory" rating I've received in 26 years
>> of working for the university. I'm on probabtion and having to document
>> literally every minute of my day. Not that it will make any difference - I
>> fully expect to be unemployed when my contract expires in August.
>> This is the price I'm paying for *not* being a "sissy".
> That sucks! I mean, it is quite possible he is just the breed of pencil-neck
> career-monkey that occur so often in the wild and you would never be able to
> live with him, anyway, but this is precisely the kind of situation that
> occurs again and again and grinds us down as a group. Of course it's
> grinding you now specificially, but I bet you a bottle of Jameson's that you
> end up making more money this time next year than you are now (and maybe more
> than your petty boss :-) and enjoy your work more.
> I've been following the accountability thread, and it occurs to me that the
> one thing we desparately lack is the ability to deliver good practices that
> people can follow and be held accountable for following. In a Perfect World
> it would be a piece of paper that Scott could take to his boss's boss and say
> "I insisted we follow this, as is my responsibility, and Rung Lemur here is
> all pissy about it."
> o I know good classes are being taught, but obviously it isn't enough and/or
> we have other issues (and Quantity < Need, certainly).
> - The scale thing is certainly a big part of the problem, even most CTOs are
> working with a barbaric understanding of security.
> - the sheer newness of all this IP stuff (and buried in that is their first
> confrontation with Security) creates a dynamic load of issues for any CTO
> doing their job, so even the very few who have had a first-hand conversation
> with a well-spoken Clue Club Member most likely never hear the wisdom again
> and the message is plowed under.
> - I'd like to find some one-liner to address the problem, but it looks like
> just lots more work developing and delivering education (pick a medium) and
> allowing the passage of time to inculcate the masses with some experience.
> - One metric that gives me hope on the Edumacation front is my endless
> Brownian Public Survey, and I see the savvy-factor in the average Joe going
> up consistently. I poll people ceaselessly about (well, everything, but
> among that:) their interaction with information technology. I still can't
> have an in-depth useful conversation about security with the least capable of
> computer clickers, but today those folks are now the very last of the
> living-in-the-woods (literally) people who said they would "never own a
> confuser". Mom still has a hard time following the thread if I get too
> enthusiastic about details, but she gets all the basics and can apply them to
> her own experiences using 'puters and the net. The average
> plane-seat-neighbor can usually play a good foil for thinking out loud about
> an issue - but it's always the first time they've considered it that closely,
> even if they are IT folks.
> o Product classes and categories have shifted around enough that even we
> have to pay attention, everyone else is like the cancer patient listening to
> two doctors disagree on his treatment.
> o There obviously isn't a given Best Practices Precedent out there, or
> lawyers would have found it and sued the crap out of people by now. Without
> such precedent, it's impossible to hold management types accountable for
> following it, and it's impossible to nail mismanagement mid-weasles like
> Scott's boss for gross incompetence. We could use a good sue-able
> o Auditing tools need to get better. If it could be clearly shown that a
> commonly accepted practice was not followed, leading to losses to the
> oragnization involved, then the accountability chain can be established and
> Paul's lawyerfests can be directed at creating Darwinistic impulses among
> CTOs, and thereby creating same in high-expectation-having, upward-managing,
> lickspittles like Scott's Uberviser. Fixing auditing is not my problem
> anymore at the moment, but Marcus and tbird and Partha and the rest need to
> keep plugging until the next Scott can have a leg to stand on against his
> Scott's boss still needs a swift kick. I'm leaving for Disney tomorrow, can
> I stop by and rough him up for you... :-)
> PS - somebody get Scott a better job!
> Chris Blask
> firewall-wizards mailing list
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
firewall-wizards mailing list