Fwd: Re: [unisog] Security patches - another take
jim.dillon at cusys.edu
Tue Aug 7 20:35:08 GMT 2001
Paul, Gary, and interested parties,
While there are many ways to attack the symptoms, we won't have solved the
disease. My take on the networks/security/users dialogue...
I just finished an audit of "Web Practices" in which I point out that
posting a Web page or deploying a Web application involves multiple
Software Analysis and Design
Programming (simple to complex)
Import/Export Law and Product Distribution
Just a few years ago, we would have had to hire and artist, involved a
technical writer, gotten an analysis from marketing and relations people,
gone to a printer, and pursued some sort of legal and business content
approval before we represented our companies or institutions in a large
mailing. It would cost a great deal of money, and require a great deal of
human skill and oversight. Only really important stuff would have ever
made it out the door.
Now we use free Netscape/Composer combinations and instantly create this
sort of material in minutes, with little thought or discipline, and wonder
why it bites back. I think the server/security discussion you are having
is the same thing.
Consumers have been empowered by the abilities computing grants, and as
history will teach us if we pay any attention, most of us are self-serving
or even overtly greedy. We won't think of ourselves as the problem, its
the other guy, and we will pursue our own ends, survival of the fittest.
(The disease.) It's great to be King, right?
The OS' makers are simply reflecting the same thing, and we are driving it
with incessant demands for easier, faster, better, cheaper. "I want Linux
on my notebook, today, I have work to do, don't let it interfere with
Windows, I must audit now, so sorry, I can't wait for tech support to get
around to it next week." Now, thanks to CompUSA and Redhat, I have a
server, its enabled most things to appear easy to use and robust so I will
like it, but I know next to nothing about "driving" it. Ultimately, we are
demanding cars without keys, delivered to children for their birthdays, and
it's too late to demand they understand the laws and department of motor
vehicles signs and standards prior to taking to the road. Oh yeah, their
feet can't reach the pedals, that might be a bit risky with a broom handle, eh?
It seems that driving automobiles, while still a leading killer of people,
is a reasonably safe proposition. Most folks watch what they are doing,
know to stop at a red light, and can obey traffic signs. Considering the
death potential of 150million people hurtling themselves along at 75MPH
every day, we don't suffer enough casualties to keep us off the road.
It seems that IS/IT should consider developing similar guidelines to
highway/motor safety concerns: Education and licensing, age limits, laws
and penalties, clear authorities, and driver's ed schools. If the
complements to these controls existed widely in IT and were diligently
enforced, we'd have less problems. (Not "no" problems, just less.)
I've observed the equivalent to free car lots, keys in the ignition, signs
to the on-ramps, and cheering mobs saying "Just Do IT", but once on the IT
road, we are fairly bare of road signs and center stripes, or perhaps can't
read/see the ones that are there. I can't often find the equivalent of the
Department of Motor Vehicles, and the Highway Patrol is often the
salesperson who sold (gave) me the car. Never thought of a license to
drive, or some cost to participate, like a registration fee. Oh yeah, the
cars are mostly GM, but there are a few Volvos around still for those who
can tinker with them.
Our institutions need to understand their risks, consider the cost/benefit
more carefully with better cost numbers, and create the systems that allow
us to play together with some semblance of order. Not every car that was
ever sold was particularly safe, but safe practice could keep the occupants
alive most of the time. Yep, I've had many reasonably safe hours in a
Pinto, not risk free, but reasonably safe anyway. I think the same is true
for our networks/servers, etc.
Our institutions need to control their systems(roadways), IT or
otherwise. Manufacturers need to develop airbags and seatbelts, and we
participants need to take our driver's ed classes and pass our driving
tests. Oh yeah, someone will have to author the tests and teach the courses.
Not a faster, cheaper, better solution is it? We're back to the original
problem (disease) statement, and this discussion will probably turn into a
philosophy debate from here, so I'll stop now.
Best regards to all,
Oh yeah, I generally concur with the both of you if you haven't figured
that out yet. If we could all get general concurrence into passable
understanding and agreement...
At 12:30 PM 08/07/2001 -0400, you wrote:
Paul L Schmehl wrote:
> Stop buying from the vendors in the public spotlight? :)
> Just kidding. I suspect that any vendor pandering to consumer demand
> for ease of use, functionality, and time to market over all else would
> likely be in the same predicament as Microsoft. And if they don't pander,
> they don't stay in business.
>> How many more Code Reds do we have to go through
>> before we finally start getting mad at the networks that, by not patching
>> their servers in a timely manner, put all of us at greater risk?
> Its not the "networks". Its the individual computer operators. That said,
> a network owned by an organization should definitely take steps to ensure
> the integrity of its own network and in the process of doing so enforce
> reasonable expectations on its computer operators. Of course this means
> that those in power have to do more than throw any available warm body
> at the job and give them the time and resources to do the job properly.
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
More information about the unisog