Security: The Window of Exposure

Bruce Schneier has written an interesting analysis of dealing with security on the Internet as a business issue -and what that means in how we deal with it, in a company setting. It's a well written piece, and quite useful for those of us out there in the corporate world.

Awareness vs. Protection

[Idaho]

Okay, so you can't be 100% safe. I guess most of us already knew that.

So, it becomes more important to know when you have been cracked (you will anyway, eventually) than to prevent it.

It looks like the future for products like Tripwire (detects system file changes and the like), Portsentry (portscan detection)and other 'security break awareness' products is bright.

Then, if you really want to be aware, directly send the important syslog-messages (like, people becoming root, portscanning detected etc.) to an old unused matrix-printer. Works great, since it is possible to erase your log-files (once you're root), but it's *real* hard to mess up logs that are on paper (without physical access to the site, that is)!

Business Security

[Malevolent]

Personally, I believe that any business which doesn't implement security deserves everything it gets.

I worked for a company for almost a year which was in the business of website hosting/design. As I was fairly close to the servers, I knew that we were getting regularly port-scanned, our NetBios was wide open and had had a number of attempts to break in [obviously script-kiddies, since it wouldn't have been particularly hard, yet to my knowledge they never got anywhere!]

The boss was fully aware of these problems - and yet consistently refused to accept that at a very minimum we needed a firewall - even when we finally got it into his head that this was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.

This is the sort of attitude that seems to be prevalent in industry - the people in charge just do not seem to understand that basic security is a must. Had anyone penetrated the system, they could easily have put this company out of business - and I'm sure this is also the case for many others!

Unless businesses wake up, they will find themselves digging their own graves - and all for want of devoting a little time to something which, with all the media hype, is staring them in the face.

Re:Business Security

[The+Dodger]

when we finally got it into his head that [a firewall] was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.

This is a very common problem. Many organisations are not as secure as they should be because they are underresourced, technically.

Security is often regarded as being the responsibility of the systems engineers/administrators. However, day-to-day business often places a higher priority on non-security-related engineering and admin jobs than security, and this can mean that security-related work, which does not have an apparent immediate urgency (unlike, say, getting a new mail system implemented or something like that), unless a security breach has recently occurred or is in progress.

As a result, the IT staff find themselves under pressure from the business groups, and security ends up sliding to the bottom of the "to do" list.

In essence, this is a management problem, which can only be solved by putting in place stringent security policies (e.g. "Yes, the new mail system is working, but it has not been passed as secure, so we are NOT putting it live, and I don't care how crucial it is to your quarterly comission that you are able to send attachments larger than 2MB...") and proactively allocating resources to security.

Fluff and puff

[itsbruce]

This article is pure fluff. There's no detail of how his new Managed security Monitoring works, how it "closes the window" when all others simply "narrow" it, he's just trying to sell his product. I thought most competent sysadmins monitored their security? His house insurance metaphor is invalid. It's one thing to insure against the risk of burglary, knowing that you can use the insurance money to buy equivalent items. But data is different - there is no equivalent to your own data. A cracker can steal your data and do you damage without your knowledge - since the data is still there. A cracker can distort your data so that your future work will be based on incorrect information. A cracker can use your network as a base for other attacks. For the two situations to be analogous, burglars would have to be in the habit of breaking in and reprogramming your microwave to poison you, or invisibly setting up a base in your attic to launch burglaries on your neighbours. The integrity of data is so much more fragile than that of real-world goods that you simply can't treat it in the same (relatively casual) manner as you can house insurance. Whatever the answer is, this salesman doesn't have it and his sales puff shouldn't have received this free publicity.

Interesting MARKETING Document

[cryptwhomp]

Hmmm, and where can I get this wonderful managed security? Why look, Bruce himself sells it! What a happy surprise ...

Crypto-gram

[Leto2]

For those who find articles like this interesting, I suggest they subscribe to Bruce's Crypto-gram, a montly newsletter that covers topics like this.

Actually, this month's episode, which came in the mail this morning, talks about the same windows of exposure.

I can hartly recommend this newsletter to everyone!

Ivo