In a message written on Tue, Jan 28, 2003 at 03:10:18AM -0500, Sean Donelan wrote:
They bought finest firewalls,
A firewall is a tool, not a solution. Firewall companies advertise much like Home Depot (Lowes, etc), "everything you need to build a house". While anyone with 3 brain cells realizes that going into Home Depot and buying truck loads of building materials does not mean you have a house, it's not clear to me that many of the decision makers in companies understand that buying a spiffy firewall does not mean you're secure. Even those that do understand, often only go to the next step. They hire someone to configure the firewall. That's similar to hiring the carpenter with your load of tools and building materials. You're one step closer to the right outcome, but you still have no plans. A carpenter without plans isn't going to build something very useful. Very few companies get to the final step, hiring an architect. Actually, the few that get here usually don't do that, they buy some off the shelf plans (see below, managed security) and hope it's good enough. If you want something that really fits you have to have the architect really understand your needs, and then design something that fits.
they had two-factor biometric locks on their data centers,
This is the part that never made sense to me. Companies are installing new physical security systems at an amazing pace. I know some colos that have had four new security systems in a year. The thing that fascinates me is that unless someone is covering up the numbers /people don't break into data centers/. The common thief isn't too interested. Too much security/video already. People notice when the stuff goes offline. And most importantly too hard to fence for the common man. The thief really interested in what's in the data center, the data, is going to take the easiest vector, which until we fix other problems is going to be the network. I think far too many people spend money on new security systems because they don't know what else to do, which may be a sign that they aren't the people who want to trust with your network data.
they installed anti-virus software,
Which is a completely different problem. Putting the bio-hazard in a secure setting where it can't infect anyone and developing an antidote in case it does are two very different things. One is prevention, one is cure.
they paid for SAS70 audits by the premier auditors,
Which means absolutely nothing. Those audits are the equivalent of walking into a doctor's office, making sure he has a working stethoscope and box of toungue depressors, and maybe, just maybe, making the doctor use both to verify that he knows how to use the them. While interesting, that doesn't mean very much at all that when you walk in with a disease the doctor will cure you. Just like it doesn't mean when the network virus/worm/trojan comes you will be immune.
they hired the best managed security consulting firms.
This goes back to my first comment. Managed security consulting firms do good work, but what they can't do is specialized work. To extend the house analogy they are like the spec architects who make one "ok" plan and then sell it thousands of times to the people who don't want to spend money on a custom architect. It's better than nothing, and in fact for a number of firms it's probably a really good fit. What the larger and more complex firms seem to fail to realize is that as your needs become more complex you need to step up to the fully customized approach, which no matter how hard these guys try to sell it to you they are unlikely to be able to provide. At some level you need someone on staff who understands security, but, and here's the hard part, understands all of your applications as well. How many people have seen the firewall guy say something like "well I opened up port 1234 for xyzsoft for the finance department. I have no idea what that program does or how it works, but their support people told me I needed that port open". Yeah. That's security. Your firewall admin doesn't need to know how to use the finance software, but he'd better have an understanding of what talks to what, what platforms it runs on, what is normal traffic and what is abnormal traffic, and so on.
Are there practical answers that actually work in the real world with real users and real business needs?
I think there are two fundamental problems: * The people securing networks are very often underqualified for the task at hand. If there is one place you need a "generalist" type network/host understands-it-all type person it's in security -- but that's not where you find them. Far too often "network" security people are cross overs from the physical security world, and while they understand security concepts I find much of the time they are lost at how to apply them to the network. * Companies need to hold each other responsible for bad software. Ford is being sued right now because Crown Vic gas tanks blow up. Why isn't Microsoft being sued over buffer overflows? We've known about the buffer overflow problem now for what, 5 years? The fact that new, recent software is coming out with buffer overflows is bad enough, the fact that people are still buying it, and also making the companies own up to their mistakes is amazing. I have to think there's billions of dollars out there for class action lawyers. Right now software companies, and in particular Microsoft, can make dangerously unsafe products and people buy them like crazy, and then don't even complain that much when they break. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org