Re: Food for Thought
From: Lohkee (lohkee@worldnet.att.net)
Date: 07/13/02
- Next message: Lohkee: "Re: More food for thought"
- Previous message: Lohkee: "Re: Food for Thought"
- In reply to: HC: "Re: Food for Thought"
- Next in thread: Scott C. Zimmerman: "Re: Food for Thought"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <lohkee@worldnet.att.net> Date: Sat, 13 Jul 2002 16:02:29 GMT
"HC" <keydet89@yahoo.com> wrote in message
news:3D302BA8.3050100@yahoo.com...
>
> > What I am talking about are business (public and private) IS
environments.
> > The idea that every employee needs 'net access is simply not
substantiated
> > by the evidence (at least in my own experience looking at very large
audit
> > trails). It makes very little sense to put a production network at risk
> > without a good business reason for doing so. It is true that some
employees
> > may need accesst, however, that does not necessarily mean that you must
> > connect a production network to the 'net in order to provide it. PCM
seems
> > to dictate that we treat our business environments the same as our home
> > environments - I believe this is both idiotic and extremely dangerous to
our
> > national interests.
>
>
> I cannot tell you how much I agree with you. Having a production
> network does not mean that it needs to be connected to the Internet. I
> also agree that every employee/user does not need Internet access...or,
> at the very least, unrestricted access.
>
> However, where we part ways on this is the idea that people are treating
> business networks like home networks. Not at all. Maybe...maybe...I
> can agree that the mentality is there. Yes, I will give you that. But
> I also know from experience that there is something else.
A little vauge Harlan. I would suggest looking at firewall adudit trails.
Most of the browsing will not be work-related. People are playing, i.e.,
using their workstations much the same as they would their home PC.
>
> I used to work for Winstar, a large telecomm firm. I was THE network
> security manager. When I first started w/ the company, I was in
> operations. Basically, the telecomm model for standing up a new product
> is that it's conceived by sales/marketing, designed/built/documented by
> engineering, and then thrown over a Chinese wall to operations to
> maintain. By everything I know about infosec, that doesn't make any
> sense...neither marketing nor engineering had infosec personnel.
> Basically, I had the mandate to secure a production system that is
> already in place, but had no security designed into it. The systems
> cannot be taken down for configuration control, adding a second NIC w/ a
> private address for monitoring/administration, etc.
>
On this we can agree!
>
> In fact, I was able to find documentation for one major product were
> security was specifically removed from the discussion table by the
> project manager several months before I even started w/ the company.
> All of those nice, big Compaq servers running Win2K and IIS had to be
> patched after the fact...oh, and did I mention they couldn't be taken
> down? No rebooting.
>
> My point is quite simple. Those of in the profession are faced with
> obstacles we never really encountered as we "came up the ladder". We
> have to deal w/ production systems that cannot be taken down,
> infrastructures that are already in place, the inability to purchase new
> equipment in a timely manner, etc.
>
No one ever said the job was easy. I think the answer is for security to
become involved at the beginning,and if the PM dosen't like that, then
perform a risk assessment showing what a piece of crap he/she built and the
risk to the org as a result.
>
> > You might well be right. It may indeed be wishful thinking on my part to
> > believe that we can create a secure infrastructure, however, I fully
intend
> > to do everything I can to champion this effort.
>
>
> I'm with you on both parts...first, that it's wishful thinking, and
> second, that I, too, am doing everything I can do to champion such
> things. But Bardia has a valid point...many of the infrastructures you
> and I and everyone else have to deal with are already in place.
> Entrenched, even. This isn't even considering the fiefdoms and
> political issues we have to deal with.
I disagree. I have control over my network. While I can do nothing about
the net, I can do something about the systems I connect to the Net. If
everybody did this . ... . .. . Yes, I am a dreamer. The point is that you
cannot have both. You must choose between fifdoms and security, etc, etc.
>
> > The first and by far the
> > largest step is to admit that what we are doing is just not working.
>
>
> I don't see that as an issue at all. In fact, I think that is a
> well-recognized fact. However, the only real way to address what you're
> referring to, as pointed out by Bardia, is to rip out everything we
> already have in place and start over. Anything else is putting bandaids
> on a boo-boo.
Not true. Everyone can take care of their little corner without any
downtime. If we all know it is not working, as you suggest, then why do we
keep doing the same thing over and over and over again????
>
> > If
> > only one or two people who read this newsgroup can accept this as a
> > possiblity and start re-thinking the whole security issue things might
> > change, especially if they are leaders within the industry that have a
> > vioce. When all is said and done I may fail miserbly. Such is the price
of
> > doing business . . . . .
>
>
> Like I've said since my first response, I think what you're considering
> has merit...it's just that many of your thoughts aren't as well
> developed as they need to be. This isn't a peronal attack at all...I'm
> simply saying that by engaging in the discussion a little more, and
> being open, I think you'll see that many of us, even those who aren't in
> this newsgroup, have already gone down this road at one time or another.
>
- Next message: Lohkee: "Re: More food for thought"
- Previous message: Lohkee: "Re: Food for Thought"
- In reply to: HC: "Re: Food for Thought"
- Next in thread: Scott C. Zimmerman: "Re: Food for Thought"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
