Fwd: Re: [unisog] Security patches - another take

Jim Dillon jim.dillon at cusys.edu
Tue Aug 7 20:35:08 GMT 2001

Paul, Gary, and interested parties,

While there are many ways to attack the symptoms, we won't have solved the 
disease.  My take on the networks/security/users dialogue...

I just finished an audit of "Web Practices" in which I point out that 
posting a Web page or deploying a Web application involves multiple 

Graphic Design
Institutional Relations
Software Analysis and Design
Programming (simple to complex)
Quality Assurance
Import/Export Law and Product Distribution

Just a few years ago, we would have had to hire and artist, involved a 
technical writer, gotten an analysis from marketing and relations people, 
gone to a printer, and pursued some sort of legal and business content 
approval before we represented our companies or institutions in a large 
mailing.  It would cost a great deal of money, and require a great deal of 
human skill and oversight.  Only really important stuff would have ever 
made it out the door.

Now we use free Netscape/Composer combinations and instantly create this 
sort of material in minutes, with little thought or discipline, and wonder 
why it bites back.  I think the server/security discussion you are having 
is the same thing.

Consumers have been empowered by the abilities computing grants, and as 
history will teach us if we pay any attention, most of us are self-serving 
or even overtly greedy.  We won't think of ourselves as the problem, its 
the other guy, and we will pursue our own ends, survival of the fittest. 
(The disease.)  It's great to be King, right?

The OS' makers are simply reflecting the same thing, and we are driving it 
with incessant demands for easier, faster, better, cheaper.  "I want Linux 
on my notebook, today, I have work to do, don't let it interfere with 
Windows, I must audit now, so sorry, I can't wait for tech support to get 
around to it next week."  Now, thanks to CompUSA and Redhat, I have a 
server, its enabled most things to appear easy to use and robust so I will 
like it, but I know next to nothing about "driving" it.  Ultimately, we are 
demanding cars without keys, delivered to children for their birthdays, and 
it's too late to demand they understand the laws and department of motor 
vehicles signs and standards prior to taking to the road.  Oh yeah, their 
feet can't reach the pedals, that might be a bit risky with a broom handle, eh?

It seems that driving automobiles, while still a leading killer of people, 
is a reasonably safe proposition.  Most folks watch what they are doing, 
know to stop at a red light, and can obey traffic signs.  Considering the 
death potential of 150million people hurtling themselves along at 75MPH 
every day, we don't suffer enough casualties to keep us off the road.

It seems that IS/IT should consider developing similar guidelines to 
highway/motor safety concerns: Education and licensing, age limits, laws 
and penalties, clear authorities, and driver's ed schools.  If the 
complements to these controls existed widely in IT and were diligently 
enforced, we'd have less problems.  (Not "no" problems, just less.)

I've observed the equivalent to free car lots, keys in the ignition, signs 
to the on-ramps, and cheering mobs saying "Just Do IT", but once on the IT 
road, we are fairly bare of road signs and center stripes, or perhaps can't 
read/see the ones that are there.  I can't often find the equivalent of the 
Department of Motor Vehicles, and the Highway Patrol is often the 
salesperson who sold (gave) me the car.  Never thought of a license to 
drive, or some cost to participate, like a registration fee.  Oh yeah, the 
cars are mostly GM, but there are a few Volvos around still for those who 
can tinker with them.

Our institutions need to understand their risks, consider the cost/benefit 
more carefully with better cost numbers, and create the systems that allow 
us to play together with some semblance of order.  Not every car that was 
ever sold was particularly safe, but safe practice could keep the occupants 
alive most of the time.  Yep, I've had many reasonably safe hours in a 
Pinto, not risk free, but reasonably safe anyway.  I think the same is true 
for our networks/servers, etc.

Our institutions need to control their systems(roadways), IT or 
otherwise.  Manufacturers need to develop airbags and seatbelts, and we 
participants need to take our driver's ed classes and pass our driving 
tests.  Oh yeah, someone will have to author the tests and teach the courses.

Not a faster, cheaper, better solution is it?  We're back to the original 
problem (disease) statement, and this discussion will probably turn into a 
philosophy debate from here, so I'll stop now.

Best regards to all,


Oh yeah, I generally concur with the both of you if you haven't figured 
that out yet.  If we could all get general concurrence into passable 
understanding and agreement...

At 12:30 PM 08/07/2001 -0400, you wrote:
Paul L Schmehl wrote:

 > Stop buying from the vendors in the public spotlight? :)

 > Just kidding. I suspect that any vendor pandering to consumer demand
 > for ease of use, functionality, and time to market over all else would
 > likely be in the same predicament as Microsoft. And if they don't pander,
 > they don't stay in business.

 >> How many more Code Reds do we have to go through
 >> before we finally start getting mad at the networks that, by not patching
 >> their servers in a timely manner, put all of us at greater risk?

 > Its not the "networks". Its the individual computer operators. That said,
 > a network owned by an organization should definitely take steps to ensure
 > the integrity of its own network and in the process of doing so enforce
 > reasonable expectations on its computer operators. Of course this means
 > that those in power have to do more than throw any available warm body
 > at the job and give them the time and resources to do the job properly.

 > Gary Flynn
 > Security Engineer - Technical Services
 > James Madison University

Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

More information about the unisog mailing list