From: jvburnes at yahoo.com (Jim Burnes)
Subject: (no subject)

Actually, what is really needed and primarily missing
from the security picture is:

1. Risk Analysis/Computation and communication with
Business side.
2. INFOSEC department reporting directly to board or
CFO with some sort of impedence matched engagement
with networking/systems/development.

The primary problem with information security is that
the business side of most corporations are
participating in IT supported markets without knowing
what kind of risk they are signing onto.  They are
essentially swimming in an unknown risk pool.

Why is that?  Because many IT security departments are
buried in the IT infrastructure, where they are
immersed in technological solutions.  They know they
need more budget to do things right, but few have a
good quantitative basis for justifying their
decisions.

Without this, they can't get budget and are reduced to
groveling for the table scraps from other IT
departments and looking like Chicken Little because
they have no rational metrics. (Not that this has ever
happened to me ;-)

Just about any security solution you can imagine can
be resolved by rationally looking at the numbers. 
Very few people are doing this because engineers don't
generally speak business speak and businessmen don't
speak geek.

*But*, both groups have taken their share of
statistics courses and this is the common ground of
intelligent risk taking.

So the next time someone asks whether Win2K3 is
justified, you can speak like an engineer and not a
religious fanatic.  I know it feels good to say, "XYZ
company has *#$# for brains.  They don't care about
security and are costing us a fortune.".  Maybe you
are right.  Maybe it’s a huge risk and not worth the
cost.  

But think how much more effective you can be if you
say, "by using the Fumblewidget System Server we will
decrease value at risk by at least $12,000,000 per
month."  That is something the the business guys can
use.  Maybe by using the Zorop Web Proxy instead they
can enter a market worth $53,000,000 and capture half
that in profit. Eventually, they get to decide whether
the risk reduction is worth it because, well, that's
their job.   Maybe you can show them that each
security breach of the Zorop system will cost
$5,000,000 in damage, lost time and legal costs.

The best model for corporate security I can think of
is that of a intelligent and capable executive body
guard.  Staying out of sight for the most part, but
ready at a moment's notice.  The executive, walking to
work says, "I've got to get to the Wall Street Open
Market meeting.  Let's take a short cut down that
alley."  The bodyguard says, "Well sir, you know your
own business, but there is a 50% probability that you
will be beaten severely and probably miss the
important trade meeting worth $50 billion.  How about
I call Skyways Helicopter and have them pick you up
and fly you there?  It will get you there even faster
and the $2000 tab will be nothing compared to missing
the meeting."

Just like the bodyguard, you have to be able to bring
the stats in front of the business risk takers so they
can decide.  You have to talk to the brains because it
does you no good to talk to the executive's foot or
hand or mouth.  All the foot, hand or mouth
understands is that someone gave them orders and
you're getting in the way.

So to answer your question, MS does what it does
because it continues to make vast profits at near zero
risk.  Since it's the "only game in town"** it
essentially transfers its customer's losses due to
unanalyzed risk into it's treasury.

Quod erat demonstrandum, baby.

Of course, I'm sure that the MS story is that they
have such a huge value add that it justifies the added
risk.  

Exercise for the student: Use risk analysis to prove
them wrong. Does anyone know of any effective
(possibly open source), risk analysis model /
spreadsheet.

jvb
security engineer

**If I were a truly neutral player in this game I
would refer to this as a "natural monopoly", but only
the clinically naiive would so delude themselves.  The
truly dispassionate would probably chalk up the MS
advantage to strange attractor theory.

> -----Original Message-----
> From: Ng, Kenneth (US) [mailto:kenng@...g.com]
> Sent: Thursday, March 18, 2004 11:18 AM
> To: 'Schmehl, Paul L';
full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: Microsoft
Security, baby steps ?
> 
> Totally agree.  There is no magic bullet for
security, especially on a
> large
> network.  You can have firewalls guarding the
outside, run Anti Virus
> against the mail servers, the file servers, and all
the desktops.  How
> about
> consultants coming in?  How about vendor demos that
need to be plugged
> into
> the network?  How about appliance servers where the
vendor claims "you
> don't
> need to patch this", and they are really running W2K
with no service packs
> wide open with every service known to mankind
enabled?  How about
> applications that break because they depend on the
MSSQL SA password being
> blank?  How about those network aware copiers or fax
machines or
> distributed
> door locks or HVAC (really) systems?  Nothing will
catch everything.
> Anyone
> who says so is selling snake oil or hiding
management nightmares.  Yes
> firewalls and other related hardware help.  We also
need software vendors
> to
> stop giving lip service to security and start
actually implementing it.
> We
> need software vendors to start publishing network
protocols so that
> firewalls can actually look at the traffic and make
intelligent decisions.
> We need software and hardware vendors to stop saying
"security is not our
> problem".
> 


__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com

Powered by blists - more mailing lists