How to Cheat at Managing Information Security

← Back to Stories (view on slashdot.org)

How to Cheat at Managing Information Security

Posted by ryuzaki0 on Wednesday September 27, 2006 @07:47AM from the keep-it-secure dept.

Ben Rothke writes "Mark Osborne doesn't like auditors. In fact, after reading this book, one gets the feeling he despises them. Perhaps he should have titled this book 'How I learned to stop worrying and hate auditors'. Of course, that is not the main theme of How to Cheat at Managing Information Security, but Osborne never hides his feeling about auditors, which is not necessarily a bad thing. In fact, the auditor jokes start in the preface, and continue throughout the book." Read the rest of Ben's review. How to Cheat at Managing Information Security author Mark Osborne pages 302 publisher Syngres rating 8 reviewer Ben Rothke ISBN 1597491101 summary The adventures of an information security professional and his efforts to secure corporate networks

The subtitle of the book is 'Straight talk from the loud-fat-bloke who protected Buckingham Palace and ran KPMG's security practice'. Essentially, the book is Osborne's reminiscence of his years in information security; including the good, the bad, and more often then not, the ugly.

The book is written for someone looking to develop an information security program, or strengthen an existing program, to ensure that all of the critical technology areas are covered.

The thirteen chapters of the book cover the main topics that an information security manager needs to know to do their job. The author candidly notes that this book is not the most comprehensive security book ever written, but contains most of the things a security manager needs to get their job done. The author also observes that information security is different from other disciplines in that there are many good books about disconnected subjects. The challenge is getting the breadth of knowledge across these many areas, which is quite difficult. The challenge of information security is to effectively operate across these many areas.

Chapters 1 and 2 deal with the information security organization as a whole, and the need for information security policy. Chapter 1 details the various areas where a security group should be placed, and describes the pros and cons of each scenario. As one of the scenarios which place information security below the head of audit, Osborne notes that 'if you have any sort of life, you don't want to spend it with the auditors, I promise you'.

Wherever the security group is placed in an organization, its ultimate success or failure is likely to be determined by its level of autonomy and independence. Unfortunately, in far too many organizations, information security is not given that liberty. It is often placed in a subservient role to groups with opposing interests. Any security group or security manager placed in such a situation should likely start working on their resume.

The scenario is described in 'Practical Unix and Internet Security' where author Professor Gene Spafford spells out Spaf's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'. Spaf's principle is a cruel reality faced by many of those responsible for information security.

Between those chapters and a few more auditor jokes, Osborne makes the blatently obvious observation that wherever possible, one should eradicate single points of failure. As a corollary to this, Osborne notes that while trying to eliminate these failure points, companies will often build redundant systems. Part of their admiration for these redundant systems is the hope that this will simultaneously reduce performance bottlenecks. But these companies do not realize that the routers, firewalls and switches are not the bottleneck, rather it is the software application which is the bottleneck.

Osborne plays the role of contrarian in chapter 8 when he asks why we need firewalls. He notes that if every database maker, operating system programmer and CRM/ERM vendor put as much effort into security as the firewall vendors do, then there would be no need for firewalls. Furthermore, if each system administrator worked as hard on security as the typical firewall administrator did, and devoted as much time to hardening their servers and laptops as they did; then centralized firewalls would likely not be needed. Given that the firewall-free reality is not happening any time soon, chapter 8 provides a lot of good information on everything you need to know about firewalls.

Chapter 9 is about one of the most maligned security tools, the IDS. After providing an anecdote about a network manager who did not understand the fundamentals of how DHCP operates, and how he used Snort to debug the problem; Osborne provides a meaningful piece of security wisdom when he notes that IDS can help any network or security person understand network traffic. These devices can even give you information on new attacks and how they can be mitigated. But for an IDS (or any security hardware or software device for that matter) to be truly useful, a security professional needs to understand their IT infrastructure, the mechanics of networks and applications and the risks involved. Those who don't understand those three things will only be able to use these security technologies with minimal benefit.

Overall, How to Cheat at Managing Information Security, is an informative and often entertaining introduction to information security. For those that want to get a good overview of the core elements of information security, or strengthen their existing knowledge base, they will find this book to be an informative and valuable read."

You can purchase How to Cheat at Managing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

120 comments

Yes, it is blatently obvious by smooth+wombat · 2006-09-27 07:53 · Score: 0

Osborne makes the blatently obvious observation that wherever possible,

It is blatantly obvious that my remark on the survey about unneeded editors was correct.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re:Yes, it is blatently obvious by merchant_x · 2006-09-27 08:07 · Score: 0, Offtopic
  
  The subtitle of the book is 'Straight talk from the loud-fat-bloke who protected Buckingham Palace and ran KPMG's security practice'. Essentially, the book is Osborne's reminiscence of his years in information security; including the good, the bad, and more often then not, the ugly.
2. Re:Yes, it is blatently obvious by mackyrae · 2006-09-27 09:36 · Score: 1
  
  And what about the redundancy of "blatantly obvious"? "Blatant" means "obviously"; therefore, it says "obviously obvious" which is redundant.
  
  --
  look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
3. Re:Yes, it is blatently obvious by rajpatel32 · 2006-09-27 11:41 · Score: 0
  
  All you can do is harp on a grammar mistake? You guys obviously missed the point.
4. Re:Yes, it is blatently obvious by Nutria · 2006-09-27 14:45 · Score: 1
  
  And what about the redundancy of "blatantly obvious"? "Blatant" means "obviously"; therefore, it says "obviously obvious" which is redundant.
  
  And emphasises the point even more firmly.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:Yes, it is blatently obvious by Nefarious+Wheel · 2006-09-27 17:13 · Score: 1
  
  I wish my L70 Mage had a spell checker...
  
  --
  Do not mock my vision of impractical footwear
6. Re:Yes, it is blatently obvious by lucerin · 2006-09-27 17:57 · Score: 1
  
  thank you Dr. Pedantic and the previous posters who, it is blatantly obvious, are all members of the Anal Retentive Guild
7. Re:Yes, it is blatently obvious by 3dr · 2006-09-28 02:57 · Score: 1
  
  thank you Dr. Pedantic and the previous posters who, it is blatantly obvious, are all members of the Anal Retentive Guild[sic]
  Corrected:
  thank you Dr. Pedantic and the previous posters who, it is blatantly obvious, are all members of the Anal-Retentive Guild
  Oh yes, I'm very serious.
8. Re:Yes, it is blatently obvious by rajpatel32 · 2006-09-28 03:28 · Score: 0
  
  What is your point? A minor typo? Get a frikkin life dude.
  Who cares of then/than.
  
  This is not an English class. Give the writers a break.
  
  Such an error makes zero change.
Update on the link by Anonymous Coward · 2006-09-27 07:58 · Score: 0

The review links to B & N, but I notice that Amazon has it cheaper through their 3rd-party thing.
1. Re:Update on the link by Anonymous Coward · 2006-09-27 08:07 · Score: 0
  
  It's just as cheap through their 1st-party listing, Sir Spamalot.
You can never do away with a firewall. Ever. by growse · 2006-09-27 08:01 · Score: 4, Insightful

I'm not sure the the comments about firewalls are accurate. Sure, if every software maker paid attention well to security, then we'd be in a lot better position than we are now, but I'm not necessarily sure that building firewall-level security into every application is a good thing.

For example, if I want to restrict the access to a particular service to a few ip addresses, I'm more likely to do this on my firewall than on the service myself. Sure, the people who make the service could include that functionality, but I like the separation of security out away from the application. I like the fact that I control all my access in one place, and not across hundreds of application-specific config files. I believe modern filewalls can do all sorts of clever things such as coping with DoS attacks, stateful examination of network traffic etc etc etc. Can you imagine what it would be like if every single service had that functionality built in, but implemented slightly differently and with slightly different types of weakness in each one? Think of the duplicated functionality and bloat!

There's no such thing as software which is immune to malicious attack, but I like to keep my security weaknesses all in one place, and minimize them buy buying my firewalls from a company that has track record and experience in security issues, rather than a company that makes an ftp server for a living.

--
There is nothing interesting going on at my blog
1. Re:You can never do away with a firewall. Ever. by Isao · 2006-09-27 08:52 · Score: 1
  
  Depends. You mentioned "I like the fact that I control all my access in one place...". That may be nice from a management perspective, but when the network behind the firewall becomes complex, the firewalls with a complex ruleset typically can't keep up with the load. Also, a firewall with several hundred (or thousand) rules can end up with rule conflicts in subtle ways, making rule integration time-consuming. Adding a separate firewall per subnet may be the answer, but then you end up with a distributed firewall system (requiring centralized management tools that don't suck), and starts to approach 1:1 firewall deployment for a lot of small application server clusters.
  Another point about "...slightly different types of weakness in each one...", is that disparate systems will have a variety of weaknesses regardless. Perhaps a better approach is segregating network traffic (using either firewalls or application server rulesets) and performing flow analysis on the networks. (e.g.: Your NIDS screams bloody murder if it sees traffic to the payroll server coming from the webserver subnet.)
  Just some thoughts.
2. Re:You can never do away with a firewall. Ever. by avonhungen · 2006-09-27 08:56 · Score: 1
  
  I know that in our marketing-driven world it's hard to believe but I agree that strategically, firewalls aren't preferable. I cut my teeth in security at a major government-funded computing infrastructure site and the head of security there didn't believe in firewalls either. I was initially dubious but eventually was convinced. This book touches on it I think.
3. Re:You can never do away with a firewall. Ever. by Lord+Ender · 2006-09-27 09:36 · Score: 1
  
  "if I want to restrict the access to a particular service to a few ip addresses, I'm more likely to do this on my firewall than on the service myself."
  
  You win the "wrong tool for the job" award! Unless IP addresses follow your users and you have lots of anti-spoofing technology, you're biffin it, bud.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
4. Re:You can never do away with a firewall. Ever. by growse · 2006-09-27 09:58 · Score: 1
  
  It was an example. If you've got a huge DoS attack coming from a large botnet, 80% of which is AOL, you can provide a good temporary measure of just blocking AOL's entire network. Sure, people can spoof their ip, bt that's not the point. A firewall gives you more control over access to your network than the individual services on that network ever could.
  
  --
  There is nothing interesting going on at my blog
5. Re:You can never do away with a firewall. Ever. by element-o.p. · 2006-09-27 11:53 · Score: 1
  
  I agree with your premise, but not your supporting arguments, which is a rather unusual state of affairs, I believe.
  
  While the "security as an onion" has been pretty well trodden into the ground, the principle is valid, and therefore, I agree that a perimeter firewall is a necessity. However, I maintain that your internal hosts should be firewalled/ACL'd as well.
  
  On networks that I administer, I build a firewall into every host I put on my network. My Linux boxes all run iptables to limit traffic to what I expect to see on the network interfaces. The very few Windows boxes that I must support (kicking and screaming) also have third party firewalls, like Sygate. If you look at server configs for most *nix products (Asterisk, Apache, Sendmail, Postfix, Bind, etc.) you will see they typically contain some type of Allow/Deny configuration, and I make a point of turning these on as appropriate, too.
  
  Yes, that implies duplicated functionality, and yes, it implies some degree of bloat, too. IMHO, that translates to increased security on my network since a vulnerability in my perimeter firewall will not necessarily mean that my services are vulnerable, if each host is firewalled and ACL'd.
  
  Even better, it means I can conduct maintenance on various parts of my network without exposing my applications and services to attack. For example, I recently lost a hard drive on a web server. While rebuilding the server, I allowed root ssh to the web server and to the server that held backups for the web server. Ordinarily, root is not allowed ssh to any of my hosts, but since the servers had iptables running to only allow ssh from internal addresses, I could temporarily relax this security policy until the server was restored properly.
  
  And I don't understand why you seem to think that having services running with different types of firewall functionality and weaknesses is a bad thing. It seems to me that having multiple firewalls--each of which has different weaknesses that an attacker must exploit before finally gaining access to a service--is a good thing. Joe Scriptkiddie may know how to defeat one weakness, but then he will have to figure out the firewall on the destination host *and then* defeat any ACLs on the destination service before he can compromise your server. In your ideal, he only has to defeat the perimeter firewall and then your whole network is open to him.
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
6. Re:You can never do away with a firewall. Ever. by growse · 2006-09-27 12:09 · Score: 1
  
  I see where you're coming from - I don't think that just having one perimeter as a firewall is a good idea. I think it's an insane idea. I also think that relying on the quality of code in your applications alone for security as well is an insane idea, which was the point I was trying to make. The author was saying that you could throw away your firewalls if you have perfect code, and I was saying that throwing away anything that makes an intruder's life difficult is insane.
  
  --
  There is nothing interesting going on at my blog
7. Re:You can never do away with a firewall. Ever. by element-o.p. · 2006-09-27 12:28 · Score: 1
  
  In that case, I agree with you completely :)
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
8. Re:You can never do away with a firewall. Ever. by FlipSyde+IT072186 · 2006-09-28 04:25 · Score: 1
  
  Basically, a firewall is a barrier to keep destructive forces away from your property. In fact, that's why its called a firewall. Its job is similar to a physical firewall that keeps a fire from spreading from one area to the next.Firewalls use one or more of three methods to control traffic flowing in and out of the network: 1) Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. 2) Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. 3) Stateful inspection - A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. Something is better then nothing :)
9. Re:You can never do away with a firewall. Ever. by HaeMaker · 2006-09-28 06:05 · Score: 1
  
  All these things you mention are symptoms and solutions to poor application design.
  
  Why do you want to limit a service to a few IPs? The service should securly challenge the identity of the user. IP address is a poor identity mechanism.
  
  Why do you want to add functionalliy for DoS and stateful examination of network traffic to the application? The application should not be vulnerable to these thigs in the first place.
auditor jokes thread.... :) by advocate_one · 2006-09-27 08:02 · Score: 4, Funny

those who can, do... those who can't, teach... and those who can't teach, audit...

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
1. Re:auditor jokes thread.... :) by Aditi.Tuteja · 2006-09-27 08:09 · Score: 1, Informative
  
  Well, the consciousness of security today has grown, but still not a lot understand of what it means and how far it should go. No one loves security, not even who have this as thier job... but most people---managers, system administrators and users alike at some point of time in thier careers feel that they'd better learn it, or at least try to understand it... some who learn.. they also learn to teach..
2. Re:auditor jokes thread.... :) by rajpatel32 · 2006-09-27 09:26 · Score: 0, Redundant
  
  ====those who can, do... those who can't, teach... and those who can't teach, audit...
  
  I LOVE THAT COMMENT!!!!!!
3. Re:auditor jokes thread.... :) by Aussie · 2006-09-27 15:38 · Score: 1
  
  What is the definition of an auditor ?
  
  They are the people that go around after a battle and shoot the wounded.
4. Re:auditor jokes thread.... :) by DennisMichaelMathews · 2006-09-27 20:43 · Score: 1
  
  Roles - Definitions (s/w) Project Manager - Person who thinks nine women can deliver a baby in one month. Developer - Person who thinks it will take 18 months to deliver a baby. Onsite Coordinator - One who thinks single woman can deliver nine babies in one month. Client - The one who doesn't know why he wants a baby. Marketing Manager - Person who thinks he can deliver a baby even if no man and woman are available. Resource Optimization Team - Thinks they don't need a man or woman; they'll produce a child with zero resources. Documentation Team - Thinks they don't care whether the child is delivered, they'll just document 9 months. and at last one for the team ladies and gentlemans!!!!!!!!!! Quality Auditor - The person who is never happy with the process to produce a baby.
Comparison To Security Engineering? by aldheorte · 2006-09-27 08:05 · Score: 1

Is anyone in a position to compare this book to the folowing?

http://www.cl.cam.ac.uk/~rja14/book.html
1. Re:Comparison To Security Engineering? by whizistic · 2006-09-27 08:24 · Score: 4, Funny
  
  Yes. How to Cheat at Managing Information Security is to Security Engineering as reading about morse code is to designing a fiber optic network. Hope that helps.
2. Re:Comparison To Security Engineering? by Philip+K+Dickhead · 2006-09-27 08:39 · Score: 2, Funny
  
  God, I wish I had mod points for this.
  
  Mod +4 Good Analogy
  70% Funny
  30% Good Analogy
  
  --
  "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
3. Re:Comparison To Security Engineering? by KC7JHO · 2006-09-27 08:42 · Score: 1
  
  Wow that basic eh? Fiber optics is all about flashing lights at the correct speed and duration down a long "tube" after all. Guess you could even send the data as morse code if you really wanted to.
  And here I was thinking of actually taking a look at this book. Thanks for the heads up!
4. Re:Comparison To Security Engineering? by rajpatel32 · 2006-09-27 08:55 · Score: 1
  
  ross anderson's security engineering is a great book. it is a classic.
  
  one of the 5 best info sec books ever.
  
  from what I have seen of this book, u can't compare the two.
5. Re:Comparison To Security Engineering? by computational+super · 2006-09-27 08:58 · Score: 1
  
  Actually, Senator Ted Stevens has released a good introduction to the basics into the public domain. If you're having trouble with the link above, let me know and I'll see if I can send you an internet.
  
  --
  Proud neuron in the Slashdot hivemind since 2002.
6. Re:Comparison To Security Engineering? by u38cg · 2006-09-27 10:23 · Score: 1
  
  Having just ploughed through it, yes. Security Engineering is a pretty powerful introduction to not just network security, but how to approach security at just about every level, from international politics, to commercial entities, to physical protection, internal policies, through hardware down to the nitty-gritty of how the bits can be moved around securely. Extremely densely referenced and incredibly wide ranging but never impenetrable. I'm not a computer scientist by any means, but I learnt an awful lot from that book. Reading the review, I would say the current offering is probably interesting reading if you are responsible for securing a corporate network, but if you are at all interested in security in a wider sense, then Security Engineering is a must read. And it's free for download, now ;)
  
  --
  [FUCK BETA]
7. Re:Comparison To Security Engineering? by tt075711 · 2006-09-27 14:42 · Score: 1
  
  Maybe you are right..But i mostly prefer in How to cheat at Managing Information Security system as concepts of security, non-technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory..
Ain't that the truth by Billosaur · 2006-09-27 08:07 · Score: 4, Insightful

The scenario is described in 'Practical Unix and Internet Security' where author Professor Gene Spafford spells out Spaf's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'. Spaf's principle is a cruel reality faced by many of those responsible for information security.

This same principal applies to a great number of jobs in IT. If it's your job to create content for display on the Internet/Intranet and you aren't given the proper access and tools to get the job done, it is often your fault for the failure, even though you're at the mercy of others. Same goes for bad project management; if a project is slow or fails, it's not because the project manager was an ignorant troll, but was in fact due to the "inability of programmers to meet their goals," even though the goals and timelines were unreasonable and ultimately futile.

--
GetOuttaMySpace - The Anti-Social Network
1. Re:Ain't that the truth by MeNeXT · 2006-09-27 09:11 · Score: 2, Insightful
  
  I would advise you to run if you work at a company like you described. First and foremost, this shows complete incompetent people are managing the business administration side. If they can blame one individual for all the security problems at the company, could you imagine how their financials are?
  
  People need to work as a team and be evaluated as a team. If upper management accepts the scapegoat, then they probably created the problem in the first place. Otherwise they need to resolve the issues as a group. If one persone was that incompetent then you would not need an audit.
  
  --
  DRM? No thanks, I'll just get it somewhere else...
2. Re:Ain't that the truth by Karellen · 2006-09-27 10:08 · Score: 4, Interesting
  
  "Authority and responsibility must be equal - else a balancing takes place as surely as current flows between points of unequal potential. To permit irresponsible authority is to sow disaster; to hold a man responsible for anything he does not control is to behave with blind idiocy."
  
  -- Robert A. Heinlen, _Starship Troopers_
  
  --
  Why doesn't the gene pool have a life guard?
I'm sure the publisher would like their name... by talaski23 · 2006-09-27 08:09 · Score: 1, Informative

spelled correclty.

I believe it's Syngress (note the extra "s" at the end)

http://www.syngress.com/
1. Re:I'm sure the publisher would like their name... by GuyverDH · 2006-09-27 09:00 · Score: 2, Funny
  
  "spelled correclty." --- "spelled correctly."
  
  --
  Who is general failure, and why is he reading my hard drive?
2. Re:I'm sure the publisher would like their name... by rikkards · 2006-09-28 04:15 · Score: 1
  
  There must be a law about when critiquing someone's post that the poster will invariably mispell their critique.
General thoughts.... by King_TJ · 2006-09-27 08:11 · Score: 3, Insightful

This may be a little off-topic, but I can't help but feel that the job title of "information security specialist/officer/manager/etc." is generally bogus from the start, at least as it pertains to "end users" of technology.

I'm *not* saying that we don't need or shouldn't respect people who make a point of studying information security. But rather, that these people are most effective when they're working to build security appliances, hardware, and software that will eventually be purchased by I.T. staff. Or perhaps, when they have a specific task related to tracking down fraud in a telecommunications environment.

In most corporations, it seems like the person or people appointed as "information security" are really just getting paid to be the fall guy(s) if and when something goes wrong. They want someone to point a finger at. The "infosec specialists" I've run across rarely have very many useful computer skills to offer a business. Rather, they're mainly good at writing up policies and procedures they insist everyone should follow for "safe computing". They can go into great detail about why a particular update patch for a router or TCP/IP stack is important for preventing a theoretical attack - yet they can't even troubleshoot a single hardware failure due to bad RAM or a failing hard disk in a workstation.

The "rank and file" I.T. staff and management probably have just about as good a track record of keeping a given computing enviroment reasonably "secure", as long as they're diligent about keeping things updated and patched, and following some common sense procedures. They may not know (or care!) about all the technical details of why a given patch is effective, but it doesn't end up making much difference.
1. Re:General thoughts.... by Grimfaire · 2006-09-27 08:25 · Score: 3, Informative
  
  Then you really don't understand how a good secop person works or have only worked with bad ones. A good one will not only help write the policy, yes help... it takes an entire IS staff and many others outside of that area to come up with a good Security Policy but will audit and help fix everything throughout the network. Gone are the days where a security person is the guy who manages the firewall. The real security IS people are in charge of the entire onion. Each layer of the network needs to be hardened and protected just as much as the perimeter. It's more then just keeping up on patches, although that is part of it. It's staying abreast of the latest exploits and techniques, managing logs from all the machines not just firewalls, developing authentication procedures, and many more. It's quite often a fight between the InfoSec guys and the regular IS guys when something is implemented. Is the implementation done for the user first or security first? Commonly, it's user first, security second and it's the job of the InfoSec guys to make it the other way around. Only by choosing security first do we set a bed for a secure network. I've been every part of the IS infrastructure from data entry to network engineer to system admin to infosec. The good infosec guys are the ones who have done everything. They are most likely not the best at anything (except security) but they need to know a little about everything otherwise their just a firewall jockey and not worth paying IMO.
2. Re:General thoughts.... by Soko · 2006-09-27 08:27 · Score: 1
  
  Lemme guess - you're a sysadmin, right?
  
  I agree that most security officers don't know jack about what patches are truly needed and why, just that they are needed to reduce the risk to business continuance. IOW, they are liasons to the people who have other things to do besides deploy updates and who need to learn why sysadmins would ban those bloody sticky notes from any office with a PC in it.
  
  They are business people, not IT people, so stop treating them as such.
  
  Soko
  
  --
  "Depression is merely anger without enthusiasm." - Anonymous
3. Re:General thoughts.... by King_TJ · 2006-09-27 09:22 · Score: 1
  
  Well, it may be quite true that I've "only worked with the bad ones" ... but I guess I question the "value" they really add to the typical business workplace.
  
  For starters, I'm of the opinion that the user *must* come first - so maybe I'm fundamentally at odds with the basic premise of their work. But from 15+ years of experience with computers and I.T., I've become convinced that usability MUST trump security, or else you've wasted your money. The trick is to make things as secure as possible, without crossing the line and damaging usability/usefulness of the environment.
  
  It's not unlike what people do with their very own homes. A "security expert" could surely come into 99.9% of households and implement hundreds of rules that would make the place more secure against break-ins and theft. Perhaps he/she would eliminate all of the existing locks on the doors (too easy to pick?), change out all of the windows (too easy to be pried open?), and force all the valuables to be locked away in a bank's safe deposit box, instead of kept in dressers. Surely, an alarm system would be installed with motion and glass breakage sensors, and a long, difficult-to-guess passcode that has to be punched in to disarm it each and every time you enter. The list goes on, but you get the idea. People are usually willing to accept a slightly higher level of "risk" in return for the cost-savings and convenience afforded by skipping some of those measures.
  
  With computing, at the end of the day, you *still* have to grant access to sensitive data/documents to certain people, or no work can be accomplished. Those people will *always* be able to digitally steal copies of that information if they so desire. You'll also suffer serious inefficiencies if, for example, your firewall is locked down so tightly that a software vendor can't remote control in via PC Anywhere or the like to assist an employee.
  
  As I stated before, there are exceptions to all of this. If you work in a government-controlled, classified environment, then security probably DOES trump usability. But it's understood that the situation warrants the extra inconvenience and expenses that it will cost.
4. Re:General thoughts.... by Grimfaire · 2006-09-27 09:36 · Score: 1
  
  It's not a case of useability vs. security... it's a case of security has to be designed into the system first. Then make it usable for the users. There is no longer any case where you can toss one or the other out. But basing everything on the user first is a sure way to ignore or make securing an application/appliance/network/etc harder if not impossible.
  
  I've been doing one part or another of IT for close to 30 years and I've seen it all. Even in today's age, I'm working with a program where the first thing it does is grant the "Everyone" group full access to the drive it's installed on. By going with usability over security and not looking at both; the program has made it nigh impossible to create a usable and secure environment.
  
  Today's world... the only usable environment is a secure one. Sure, you can go overboard, implement or reccomend policies that have no hope of being enacted or followed but that is not security. That's someone who really doesn't understand what they are doing. A good security policy has to be followed and for this to happen it has to be usable. You can create policy all day long saying people have to have passwords of 20 characters with upper, lower, numbers, symbols with no 2 repeating in sequence or next to each other in a keyboard but no one is going to follow that without writing it down. Thus breaking the entire reason for the policy in the first place. But if you understand your business model; like maybe it's a publishing firm that specializes in children's books... set passwords equal to entire phrases from their more popular books. They can carry the book around and one is the wiser that it includes their password and it's quite secure being very long and containing, upper/lower possibly number and certainly characters.
  
  This is what a good infosec guy does. It's more then just creating policy in a vacuum. It's creating a secure computing environment. This will only happen if the users can and will follow the procedures.
5. Re:General thoughts.... by Anonymous Coward · 2006-09-27 10:07 · Score: 0
  
  As I stated before, there are exceptions to all of this. If you work in a government-controlled, classified environment, then security probably DOES trump usability. But it's understood that the situation warrants the extra inconvenience and expenses that it will cost.
  
  Actually, even in government controlled classified environments you still have to think about usability, you can't shut out the user because their software isn't on "list x" of approved software - "The mission comes first." Granted, in those environments you have crazy levels of physical security preventing access of the systems to unauthorized persons in addition to strict IS policy.
6. Re:General thoughts.... by cmarkn · 2006-09-27 10:08 · Score: 1
  
  There is a very simple rule for figuring how secure a system needs to be: It should cost more to break into the system than the information it contains is worth.
  
  A lot of day to day information doesn't need much security because it will be obsolete at the end of the day. On the other end, there are secrets that are the entire basis of your business, and these have to have real security. An example of this would be the formula for Coca-Cola. There is no way it belongs on any networked computer, because the entire multi-billion dollar corporation depends on it, despite whatever trouble this makes for users.
  
  --
  People should not fear their government. Governments should fear their people.
7. Re:General thoughts.... by pmc · 2006-09-27 10:42 · Score: 2, Insightful
  
  For starters, I'm of the opinion that the user *must* come first - so maybe I'm fundamentally at odds with the basic premise of their work.
  
  Yes, you are at odds with the basic premise. What comes first is the risk analysis. What are you trying to protect? What are the threats? Who are the agents attacking it? Are you trying to keep something confidential, or are you trying to preserve integrity, are you trying to keep availability of the system?
  
  Then, when you know what you are trying to achieve, you can then design a system that achieves it. You obviously try to maximise usability within the constraints that you have identified, but you are not a slave to it. Lots of environments - not just government controlled have these requirements - medical computers, power generation, financial industry, building control systems and so on.
  
  A "security expert" could surely come into 99.9% of households and implement hundreds of rules that would make the place more secure against break-ins and theft.
  
  No - A security idiot would do this. There are lots of experts - usually your local police force - who will give good advice: deadlocks, windows locks, prickly plants below ground floor windows, that kind of thing. You could give a long list of rules, but any sensible security person would not. However, what you would be advised to do will be different in different cases: in high crime area you may be advised to get a better door if yours is weak. This comes down to the risk analysis mentioned.
  
  With computing, at the end of the day, you *still* have to grant access to sensitive data/documents to certain people
  
  Yes - the skill is making sure that you are granting the right access to the right people, and you know when they accessed it, or changed it, or printed it: Authentication, Authorisation, Auditing - one of the trinities of security. How well you need to know depends on, you guessed, your risk analysis.
8. Re:General thoughts.... by Anonymous Coward · 2006-09-27 10:56 · Score: 0
  
  They may not know (or care!) about all the technical details of why a given patch is effective, but it doesn't end up making much difference.
  
  I have to admit, however unfortunate this is, that it is absolutely true. So true in fact I end up dealing with it on a semi-daily basis.
  I have a problem where more often then not I get too technical about an explanation of why or how something works when I talk to my boss and he gets pissed at me. Now perhaps I shouldn't say I have the problem here, but getting yelled at for not being general enough to him is a problem because I have to say it really pisses me off. He doesn't have the schooling in technical areas like filesystems(what's an inode and how can you run out?), TCP/IP(What? There's more than TCP and UDP, you're a liar! OK, and ICMP...) & communications (I wouldn't expect him to know what CSMA/CD means, or even why it sucks) or even what the difference is between Solaris and Linux (What do you mean this binary for Solaris (on Sparc64) won't run on a compaq server???). He trys to joke about these things to cover up his ignorance, but unfortunately when it actually comes into play he gets pissed and trys to divert the discussion to "Just fix it" which isn't a discussion at all. Then he gets pissed when the fix has drawbacks that he doesn't understand either. Not to go into too many details, but I just hope, and this seems to be the case, that I am not the only one out there that deals with ignorant bosses.
  
  Oh, and don't even get me started about network security (It's impossible to sniff a switched LAN! Prove it... That's right you can't 'cause you made it up!)...
9. Re:General thoughts.... by Nonesuch · 2006-09-27 18:27 · Score: 1
  
  King_TJ writes:
  yet they can't even troubleshoot a single hardware failure due to bad RAM or a failing hard disk in a workstation.
  Really? That's weird. Where I work, the only staff who actually have the skills and methodical nature to effectively troubleshoot problems are the "infosec specialists". The desktop support people, the network analyst, the system admins, they all just automatically say "It must be a firewall/IPS/AV/ACL problem" and don't bother to do any sort of fault isolation, or if that doesn't stick, call the vendor and ask them to send out an engineer under our "platinum" service contract.
  The "rank and file" I.T. staff and management probably have just about as good a track record of keeping a given computing enviroment reasonably "secure", as long as they're diligent about keeping things updated and patched, and following some common sense procedures. They may not know (or care!) about all the technical details of why a given patch is effective, but it doesn't end up making much difference.
  Again, the opposite of my experience. The rank and file are most concerned about uptime and SLAs, and reluctant to apply patches and updates, particularly emergency patches not released on the second Tuesday of the month, because that means taking an unscheduled outage and making a change that might impair stability or other key metrics. I'm not saying your wrong, just that your experience doesn't match my (various Fortune 500 and dot-com firm) experiences.
  
  --
  
  I do not deploy Linux. Ever.
10. Re:General thoughts.... by TT074317 · 2006-09-28 16:41 · Score: 1
  
  Wherever the security group is placed in an organization, its ultimate success or failure is likely to be determined by its level of autonomy and independence. Unfortunately, in far too many organizations, information security is not given that liberty. It is often placed in a subservient role to groups with opposing interests. Any security group or security manager placed in such a situation should likely start working on their resume. The scenario is described in 'Practical Unix and Internet Security' where author Professor Gene Spafford spells out Spaf's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'. Spaf's principle is a cruel reality faced by many of those responsible for information security.
11. Re:General thoughts.... by aminorex · 2006-09-29 15:06 · Score: 1
  
  I agree heartily about security policy being, in any rational scheme, a product of principled risk management. But it is worthwhile to observe that the principal risk involved is damage to business processes -- and that risk does not come only from intrusions, but also from the security policies themselves. To put it starkly: Security policies are no less potentially damaging to an enterprise than intrusions are. Both, in the worst case, have the ability to damage the enterprise fatally. While we generally assume that the CSO or CIO or NSE is on "our side", experience proves that this is often not the case. He or she is really on their own side. Security policy, therefore, should be derived from an *independent* business process analysis, and incorporate enough adaptability to accomodate innovation and initiative in business process.
  
  --
  -I like my women like I like my tea: green-
MOD PARENT DOWN by Anonymous Coward · 2006-09-27 08:12 · Score: 0

Who's the spammer? You put a referrer link in your post, while in the OP there's none to be found.
Defense in depth. by khasim · 2006-09-27 08:12 · Score: 4, Insightful

The only reason I'd like to see decent firewalls on the workstations is for more "depth" to my security model.

With a firewall, it is a single point that can be cracked. If that is your only security point, you'll be wide open if it is every cracked. And "cracked" also includes "someone brings in an infected laptop".

Now, on the workstation level ...
#1. No services running that aren't absolutely necessary.

#2. No open ports that aren't absolutely necessary.

#3. Any open ports/running services will ONLY accept connections from my servers / admin workstations. Anything else is logged and I am alerted.

Most of this can be accomplished with an IDS. I'd like the workstation firewalls AND the IDS. Having multiple checks is good. (and the firewall, you need the firewall)
1. Re:Defense in depth. by growse · 2006-09-27 08:39 · Score: 2, Insightful
  
  Of course, you're absolutely correct. Anyone who thinks that a single security device/solution will solve all their problems is barking. I was thinking from a more datacenter-oriented point of view, whereby I have lots of boxes, which may all only run a couple of services each (I have webservers, FTP servers, DNS servers, DB servers etc). The rules governing what data can go from A to B tend to get quite complex, and a centralised firewall solution to managing this is the most secure and maintainable.
  
  Of course basic security procedures that you described should be applied over and above a firewall.
  
  --
  There is nothing interesting going on at my blog
Memories by Aqua_boy17 · 2006-09-27 08:14 · Score: 4, Interesting

Osborne never hides his feeling about auditors
I had to smile when I read this as it took me back to my first financial audit years back. I nervously awaited our internal auditor who had a reputation for being completely ruthless in his approach and did not give a fig if heads rolled as a result of his findings. When he first met with me, he began with a story: "You know, we auditors are often compared to soldiers, and your brothers-in-arms in the field. The only difference with us is that we fix bayonets to our rifles, and go around stabbing our own troops while they lay wounded on the ground. Now, with that out of the way let's begin your audit." I suppose that would have made most people nervous, but I was charmed by his candor, and actually wound up getting along with him quite well in the end.

I suppose my point in telling that is that you can look at auditors two different ways. Either they're there to help you, or they are there to get in your way and point fingers. I believe that most genuinely good auditors try to be more like the former and less like the latter. And you can learn a lot from them if you remain objective and cooperative. God help you if you get the other kind though as they are usually just nothing but self-promoting tattle-telling toadies.

--
What if the Hokey Pokey really is what it's all about?
1. Re:Memories by kfg · 2006-09-27 08:31 · Score: 1
  
  "You know, we auditors are often compared to soldiers, and your brothers-in-arms in the field. The only difference with us is that we fix bayonets to our rifles, and go around stabbing our own troops while they lay wounded on the ground."
  
  "Keeeeeeeeeeeeewl! Can ya do me a favor?"
  
  "Yeah, what's that?"
  
  "Go stab that bastard in the next cublicle over? He's got it coming."
  
  KFG
2. Re:Memories by Darth+Muffin · 2006-09-27 08:36 · Score: 5, Interesting
  
  That reminds me of my experience a few months ago. We were in for our Sarbanes-Oxley (SOX) audit. One of the policies to comply with SOX is not to allow any non-company machines on the network (finally! Been wanting that for years.).
  Of course the first thing the auditors want to do is plug into our network so they can get their email. I said no, because if we do they it violates SOX and we fail their audit. They asked how they're supposed to audit us then if they can't use their e-mail? Not my problem, refer up to management :)
  I actually won this round. We ended up isolating a portion of the network so they could have access straight to the Internet.
  
  --
  Real programmers use "copy con program.exe"
3. Re:Memories by gosand · 2006-09-27 08:57 · Score: 4, Funny
  
  Of course the first thing the auditors want to do is plug into our network so they can get their email. I said no, because if we do they it violates SOX and we fail their audit. They asked how they're supposed to audit us then if they can't use their e-mail? Not my problem, refer up to management :)
  We had a similar discussion with our auditors. It wasn't SOX, it was SAS70, but still a process audit. What I thought was hilarious was when I walked past the conference room that the 3 auditors had occupied, and there sat their 3 laptops, screens unlocked and nobody in the room. The urge to set their background image to goatse was almost overwhelming, but I thought better of it.
  
  --
  
  My beliefs do not require that you agree with them.
4. Re:Memories by xxxJonBoyxxx · 2006-09-27 09:05 · Score: 1
  
  They asked how they're supposed to audit us then if they can't use their e-mail?
  At that point I would have asked them what they needed to send via email and how they planned to secure it. This reminds me of a case I saw with a Big accounting firm where they wanted to post some unencrypted network security results on an Internet-facing web server...
5. Re:Memories by La+Fortezza · 2006-09-27 10:14 · Score: 1
  
  I would have a little more compassion for audtiors if they weren't fscking idiots. I'm fed up with the morons that PriceWaterhouseCoopers, Accenture, KPMG, IBM GS, etc sends us.
6. Re:Memories by RMH101 · 2006-09-27 20:53 · Score: 1
  
  I am loving this and the parent comment. Suspect if I started pointing this out to our auditors that we'd lose our licence to operate, but it's very tempting...!
7. Re:Memories by smaughster · 2006-09-27 21:51 · Score: 1
  
  As an IT auditor, I completely agree with you. In fact, if my colleagues forget to lock screens or are anal about their own procedures, you bet I let them know, as do most of my colleagues. You'll always have anal auditors and ones that don't know the stuff they should be auditing. That said, every single audit I have participated in has resulted in at least 1 or two major finding on things that any competent IT department should never have allowed in the first place. Sadly, I am convinced there still is a place for auditors, because even the anal ones will find the major points.
  
  --
  I intend to live forever, so far so good.
Re:Be like Slashdot by Linux_ho · 2006-09-27 08:19 · Score: 4, Funny

Make dupes, grammer errors and spelling errors

Pot, I'd like to introduce you to my good friend kettle. Kettle, this is pot. I believe you two have a lot in common, so play nice, OK?

--
include $sig;
1;
The parent is right! by Anonymous Coward · 2006-09-27 08:21 · Score: 1, Insightful

I'm not sure the the comments about firewalls are accurate. Sure, if every software maker paid attention well to security, then we'd be in a lot better position than we are now, but I'm not necessarily sure that building firewall-level security into every application is a good thing.

I'm not sure it's possible, let alone feasible.

How is my application supposed to know how my network is configured? Do I have to let every application snoop into my network config? That doesn't sound secure to me...

My firewall knows about my network. My applications don't. My firewall can tell if a packet came from inside or outside the network; and dispose of it accordingly if the IP address doesn't match basic traffic analysis (like packets from the ouside world that claim to be from inside the network). Applications can't do that without the same intimate knowledge of my network my network has. I shouldn't have to give it to them.

Let firewalls keep the bad packets out. Let applications deal with the data layers. It's that simple.
The Necessity of Auditors by Petersko · 2006-09-27 08:45 · Score: 3, Insightful

Auditors are necessary because IT workers often can't be trusted.

I'm not saying they are crooked... I'm saying a lot of them rebel against structure, employ "fly by the seat of the pants" methodology, refuse to participate in process tracking, avoid completing paperwork, and think that the "art" of their business means they should be able to do things their way.

I think IT workers in general (probably including me) need to be watched like hawks. Otherwise we end up with broken chains of approval, unmaintainable code, and important things resting on the shoulders of "the guy in the room". You know, that guy who never provides status reports and vanishes for months at a time, emerging with a completed product that may or may not do what is intended.
1. Re:The Necessity of Auditors by bzipitidoo · 2006-09-27 09:54 · Score: 4, Interesting
  
  To the contrary. Necessary structure is good, and IT workers know that. A lot of managers are bad. They try to impose methodologies that do not fit the problems, and demand excessive structure and paperwork. They demand schedules, and then superficially alter them until what might have been a reasonable best guess is now a death march. They think things should be done "their" way, and get in the way. That is extremely irritating when they demonstrably don't know what the heck they're doing, and can't or won't see that. IT workers don't want to hand those guys any more rope than they must; they know it's only going to be used to hang everyone. What you see as rebelling against structure itself, I see as rebelling against the abuse of structure, and against those who think the "art" of management means they don't need to know anything about the technology or science, let alone the boring technical details. They only need to know how to make engineers be productive, avoid being blamed for problems, and get the credit.
  Of course a classic way to avoid blame is to make stupid rules and then point to the engineering geeks' supposed lack of discipline for not following those rules. Really great when there's a handy stereotype available. Most people aren't going to provide accurate status reports with useful content if the main use of it will be against them. I'd say not giving a status report at all is more honest than giving a status report that's nothing but evasions, fluff, misdirection, boilerplate, and such garbage.
  
  --
  Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
2. Re:The Necessity of Auditors by Panaflex · 2006-09-27 09:55 · Score: 2, Interesting
  
  Well, I call bologna..
  
  I worked as a developer at LARGE company - as their credit card server admin & developer (actually a small part of my other tasks).
  
  My first two years, auditors wanted to get copies of the credit card records - and I refused. I told them I could allow them access to review them at the location and they still wanted to have copies. Nope.
  
  I left the company - and less than a year later, well, you know the story. Auditor gets copies on laptop, laptop gets stolen. Big news story.
  
  Auditors blow goats - if those guys are serious about security then they'd spend less time trying to sell us services and more time evaluating their own process. They should know better than to take records offsite unprotected in any form. And yet, they couldn't see the problem. I just don't understand.
  
  --
  I said no... but I missed and it came out yes.
3. Re:The Necessity of Auditors by kfg · 2006-09-27 10:11 · Score: 1
  
  . . .that guy who never provides status reports and vanishes for months at a time, emerging with. . .
  
  . . .UNIX!
  
  KFG
4. Re:The Necessity of Auditors by AbbyNormal · 2006-09-27 12:26 · Score: 1
  
  Ever work in a small business IT Shop? Check, Check, Check, Check and yes...Check.
  
  --
  Sig it.
5. Re:The Necessity of Auditors by movienut · 2006-09-27 12:45 · Score: 1
  
  IMHO I think the problem mostly lies in understaffing when it comes to keeping things running, updating old things, installing new things, helping users, recovering broken things, etc.... and then there is audit work...
  
  DCAA audits, SOX audits, DSS audits, quarterly internal audits for SOX, etc...
  
  You can meet all the paperwork, process, etc.. for all of the above, if there were 28 hours a day to do it all, or a properly staffed IT department. Unfortunately, most places have neither.
6. Re:The Necessity of Auditors by therealsludge · 2006-09-27 14:32 · Score: 1
  
  I call BS. I am the administrator of two SOX controls for our Workstation environment. One is a "Workstation Hardening" control (what a joke), and the other is some cluster about having to hit Ctrl-Alt-Delete to see if a user that doesn't exist on the machine or domain can log onto the computer(yes, I'm serious).
  
  I've tried to help the auditors understand that my two controls make absolutely no sense, which basically fell on deaf ears. From an IT persons perspective, auditors are there to try to tell us how we should do our job, and the procedures we should take to do our jobs. Most of the auditors I've met can be completely snowed when it comes to technology, so why do we allow them to audit our environement?
  
  The comment from this poster about "IT workers often can't be trusted"... Well... I'm really disappointed that someone that claims to be an IT person would actually say that. We are hired, and should be trusted, since a majority of us have our own checks and balances to make sure that our environment is secure, and it is in our best interest to make sure that it is. The problem usually is from processes and procedures developed by people that have absolutely no business being in IT.
  
  BTW: I'm sure that this wrought with grammatical/spelling errors. Well... Get over it.
7. Re:The Necessity of Auditors by dbIII · 2006-09-27 18:19 · Score: 1
  
  If you are in the situation where you are determinining the process you can't stick to it. The solution to this is to have areas where the rules apply, some sort of isolated developmont setup where almost no rules apply, and make sure the rules are never tighter than they absolutely have to be. As an example, in a former career in engineering I had to throw out the carefully devised and verbose rules devised by the QA guy over fifty pages which even specified using Brand X sandpaper of a specific grit at each stage (which should only have been a guideline and never mention a specific brand) and replace them by a single line stating that the test was to be done to the paticular ASTM and Australian standards.
  I've also worked with people that reboot the only domain controller on a whim, turn off fileservers that are in heavy use just to move power cables and consume all available bandwith for hours and incur excess charges downloading dubious material when they are supposed to be working for the users - you need some rules if only to prevent all IT workers as being seen as the enemy of a business.
8. Re:The Necessity of Auditors by yukon72008 · 2006-09-28 17:17 · Score: 1
  
  We definitely need auditors. Not to make our life difficult but to ensure that at least, to a certain standard, certain needed requirements are met. And some (probably) mind-boggling and tedious regulations are practiced (at least at the eleventh hour before the auditors come to check) to produce better outcome than suppose without it.
  
  The dilemma of IT workers needing auditors is probably somewhat relevant to the question of why students need exams -- to capture our understanding and ensure that we do our job ;)
and you wonder why your employees think you suck by xxxJonBoyxxx · 2006-09-27 08:46 · Score: 3, Insightful

"...if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."
Take out "security" and fill in "hiring". Now you can probably see why the root problem is isolation of departments, not the fact that you can't taser people who don't change their passwords. Besides, who wants to listen to a on-high "security" department that says "do X or else" (often without explaining why "X" is bad). Learn to talk to people, use a few carrots and maybe fewer people (including your own employees) will think you suck.
You are missing the point by asdavis · 2006-09-27 08:47 · Score: 1

The point the author is trying to make is that if vendors spent the effort to ensure that their applications, databases, operating systems, servers, etc are coded securely, then the need for a firewall goes away. He is not endorsing putting firewall-type security on every node. Plain and simple, Firewalls have become the crutch for poor security within an infrastructure. We hide behind them, rather than address the inherent security issues at hand. If an application had a good security model, strong authentication, isn't vulnerable to buffer overflows or didn't run on a Microsoft product that keeps getting exploited on ports 135/139/445 every other week, then a firewall is redundant.

--
TECMATIC - Intelligent Technology News
1. Re:You are missing the point by growse · 2006-09-27 09:14 · Score: 1
  
  A firewall really isn't redundant. At home, maybe, but what percentage of the firewall market do you think home users make up? Compared to corporates running huge datacenters?
  
  --
  There is nothing interesting going on at my blog
2. Re:You are missing the point by asdavis · 2006-09-27 09:38 · Score: 5, Insightful
  
  Ok, lets assume that there is a huge datacenter behind the firewall. What does the firewall do to protect the datacenter? Generally, you do not allow direct inward access from the Internet into a DC proper. Rather, you use a DMZ to host exposed nodes. So in the end, for the DC, the firewall is just a router. It allows traffic from select DMZ nodes to access hosts inside the network. That's really the function of a router. However, we often filter as well to ensure that only the minimum ports and services that are required are passed. Why do we do this? Because we are concerned that the DMZ nodes might get compromised and be used as a gateway into the environment to compromise nodes on the internal network. Why are we concerned about this? Because we have come to accept that the vendors of server platforms, operating systems, middleware, databases, etc ship fundamentally flawed products. They are buggy, exploitable and are not carefully coded to prevent compromise. We trust firewalls, because they are very carefully coded and great pains are taken to ensure that they cannot (generally) be compromised. That is the author's point. Let's spend the time ensuring that products are as well coded as the firewalls and we do not need a firewall. Is this likely to happen? Probably not, but it is a valid point.
  
  --
  TECMATIC - Intelligent Technology News
3. Re:You are missing the point by growse · 2006-09-27 09:55 · Score: 3, Interesting
  
  I disagree. In a datacenter, you'll probably have each service you provide divided up into various 'cells'. Each one of these cells may connect to the outside world in some way, either through the internet, or some large MPLS cloud, or whatever. Each cell will probably be split up in a number of different ways, traditionally a core and a DMZ. You probably have some sort of management lan infrastructure behind the whole thing as well. You might also want to have some of the cells communicate with each other on the backend, or to talk to a common db.
  
  Ok, so you've got firewalls between the WAN and your DMZ, firewalls between the DMZ and the core, firewalls between the core backend and any other cell, and firewalls between the management network and the cells. The situation tends to be slightly more than "You've got a datacenter behind a firewall".
  
  The whole point of this setup is so that if one portion of the datacenter is compromised, you isolate that to the smallest possible area you can. If I want to only allow my management lan access during the hours of 10am and 4pm (silly, but bear with me), where do I configure that? On the firewall? Perhaps?
  
  Firewalls and routers are very different things. One tells the network traffic where to go, the other tells it if it's allowed to go there. Of course, this is invisible to the client, who just sends packets off which either find their route (allowed and routable) or don't (either routable and not allowed, or just not routable). Even if all of my applications and OS's wern't fundamentally flawed, I'd be an idiot not to use firewalls, because of the amount of control they allow on the network. If I want to shut down access from one network on a specific port, I can do it quickly and easily on a firewall. This isn't even possible for the application to do a lot of the time as it's just seeing packets coming from the router, and doesn't necessarily know where they started out life.
  
  --
  There is nothing interesting going on at my blog
4. Re:You are missing the point by Xaria · 2006-09-27 11:06 · Score: 2, Insightful
  
  You are STILL missing the point. If applications were written so they couldn't BE compromised, then it wouldn't be necessary to have firewalls. And there's always a way in - via the VPN that the systems administrators use if nothing else. Hack their workstation at home perhaps. Firewalls give a false sense of security. You *think* no one can get at your applications, so you get sloppy about other things such as IDS/Tripwire and so forth. I've seen it in my current workplace, and it's just the wrong attitude to take. Firewalls are a BACKUP because you know the software is faulty somewhere. If you have them in place for any other reason then you need to rethink their purpose.
  
  Most routers route traffic in a transparent manner, so yes the application can see where it comes from. Ever seen your router listed in your Apache logs? No? I didn't think so. I recognise that rinetd and similar tools that run in user space are less transparent, but those are generally hacks anyway and the firewalls can't tell the source of those packets either.
  
  The firewall is not necessarily the best place to configure LAN access either. All that does is increase support calls "it's 4:05 pm and my LAN access is down". Waste of administrator time. Better to have a policy on your AD server. And if you don't have centralised workstation management then that's a different problem entirely. In a large organisation the team managing the firewalls ("Security") is separate from the workstation team which is separate from the UNIX server team which is separate from the Windows server team which is separate from the network team. So if your machine gets compromised whose fault is it? The server team? Security? Who made the mistake? Hooray, we had a firewall so it's not our fault, let's pass the blame on to the security team, who will pass it back saying that you wanted that port to be let in ... what a thorough waste of resources.
  
  Yes, I use firewalls. Yes, I think they're necessary. Yes, I think that application developers should all be required to attend a course on how to code in a secure manner. The number of hacks I have seen to get something working makes me shudder.
5. Re:You are missing the point by Matilda+the+Hun · 2006-09-27 11:39 · Score: 1
  
  It depends on what you consider the "market". If you ignore the fact that every copy of Windows ships with a personal firewall, maybe, but more and more software companies are advertising to home users that "having a firewall makes you safe, because windows doesn't."
  
  Of course, at this point, most people are behind a router anyways, which has a firewall...
  
  So yeah, if you look in terms of "specifically bought as firewalls", then yes, I'm sure the corporate sector wins out. But in general, if you consider that a lot of things come with firewalls built-in with other types of software, then I'd say it's probably pretty close.
  
  --
  Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
6. Re:You are missing the point by growse · 2006-09-27 12:05 · Score: 1
  
  We'll just have to agree to disagree. The problem with applications that can't be compromised is that any user of that software has to trust the people who made it. Or do a complete code audit which is a) expensive and b) impossible. If a company could completly audit every single piece of software it used to make sure it was completely secure, it would *still* use firewalls. Why? Because you can't necessarily trust the guy who's doing the auditing.
  
  Of course, you can't trust the people who make the firewall software/hardware either, but it's quicker/easier to do extremely thorough security testing on one class of appliance (firewall) than on every single box in the datacenter.
  
  I'm absolutely not trying to argue that firewalls are the be-all and end-all of security. I completely agree that they can create a false sense of security. I'm trying to argue that they are essential, even if you think all of your code is secure.
  
  --
  There is nothing interesting going on at my blog
7. Re:You are missing the point by Nonesuch · 2006-09-27 18:37 · Score: 1
  
  The way I deploy firewalls is as a component of "defense in depth", in part to ensure that one mistake or intentional act by one trusted individual cannot compromise the entire network. If you take that into account, then before your thought experiment could conclude that firewalls are not necessary, you have to postulate not only perfectly secure operating systems and protocols and applications, but also perfectly secure people.
  
  At that point, suspension of disbelief goes out the window :)
  
  --
  
  I do not deploy Linux. Ever.
8. Re:You are missing the point by a_n_d_e_r_s · 2006-09-27 21:28 · Score: 1
  
  People should stop:
  
  1. Buy faulty software
  2. Hire incompetent system administrators.
  
  The fact that both of the above not are the exception but the norm
  says something about the software industry that I dont like.
  
  --
  Just saying it like it are.
Re:Be like Slashdot by computational+super · 2006-09-27 08:52 · Score: 1

Perhaps it's time you started using FireFox so that you can install the "intentional irony detector" plugin.

--
Proud neuron in the Slashdot hivemind since 2002.
Cheats by Anonymous Coward · 2006-09-27 09:05 · Score: 0

I was hoping it would be a more succinct cheat.

"Up up down down left right left right b a start on yer firewall gives your network 30 lives dude!"
Save yourself $5.59 by buying the book here! by Anonymous Coward · 2006-09-27 09:06 · Score: 1, Informative

Save yourself $5.59 by buying the book here: How to Cheat at Managing Information Security. And if you use the "secret" A9.com discount, you can save an extra 1.57%!
Security Bricks by Anonymous Coward · 2006-09-27 10:02 · Score: 2, Informative

This reminds me of a presentation I saw a while back from this guy Andrew Plato. He runs a security firm named Anitian (I think that is the right spelling.) He gives this hilarious presentation on all the stupid things companies and security vendors do. One of the funniest parts is at the end of his presentation. He does a "Ron Popeil" impersonation about the "Greatest Security Technology Ever Invented" while pointing to some mysterious item underneath a black sheet. He says something like "if you buy this technology, you're absolutely secure from everything. Nothing can hack you. Nothing can get you. How much would you pay!" When he pulls the sheet off the item, it is nothing but a big cinder block. He grabs the block and says "this is what you keep buying....bricks." Then he goes off on "faith-based security" and how most security vendors are selling nothing but snake oil.

Every time I meet with security vendor or auditing firm, I remember that brick. I laugh for a second and realize that about 50% of what these so-called experts are saying is nothing but sales BS. So many products are sold as "complete security" and they are almost worthless when you really look at what they do.

Its an immensely entertaining and insightful presentation. I don't know if he tours around with the presentation, but if you get a chance to see it - go see it. Its one of the best trade show presentations I've seen in a long time.
1. Re:Security Bricks by Anonymous Coward · 2006-09-28 01:31 · Score: 0
  
  Heh heh, I saw that too, in Portland, Oregon aboout 6 months ago. Plato is an intense guy. I met him once at some event. I like it when he goes off on vendors. He has a very down-to-earth perspective on security. That presentation is a riot. He should give it at RSA or black hat or something. I know lots of IT people who should hear what he says.
Re:Be like Slashdot by Anonymous Coward · 2006-09-27 10:29 · Score: 0

I think you give the original poster too much credit.
Re:Be like Slashdot by Linux_ho · 2006-09-27 12:30 · Score: 1

Perhaps it's time you started using FireFox so that you can install the "intentional irony detector" plugin.

Yeah, I suspected intentional irony for a couple seconds, then decided it was a lot more likely to be a case of unintentional idiocy. And I'm already using Firefox.

--
include $sig;
1;
books... by K-074512 · 2006-09-27 13:23 · Score: 1

good books if we can get our hands on ...books on 'how to cheat my wife' or books on 'how to cheat tax'...
Why don't people focus on the content of the book? by rajpatel32 · 2006-09-27 14:57 · Score: 0

All of the posts on this review have been about grammar, and other secondary topics. Why can't you focus on the topic at hand - a way to deal with informationsecurity from a experienced pro. who cares if there are grammer errors? Don't shoot the messenger! Raj
Focus on the review/main topic by rajpatel32 · 2006-09-27 15:05 · Score: 0

Why are so many of the comments about grammar and other silly issues.

Stay focused on the main topic - how informationsecurity is important. this seems to be a good book to help people learn from the mistakes of others.

at least we agree that auditors are slime.

Raj
Claims to Be? by Petersko · 2006-09-27 18:36 · Score: 1

The comment from this poster about "IT workers often can't be trusted"... Well... I'm really disappointed that someone that claims to be an IT person would actually say that.

I work in a SOx-affected company as well, although we are on the Canadian side. Every year we go through auditing.

So yesterday I'm looking into an open problem issue, one that has to go through several channels, and that must be tracked. And you know what the UNIX guy has put for the sum total of information relating to his part of the call?

ACK

That's why IT people need auditors.
Re:The Importance of Outbound Filtering for Firewa by IT074775 · 2006-09-27 19:29 · Score: 1

Microsoft's recent push into the consumer security market with its OneCare service, plus the upcoming release of its next-gen Windows Vista scheduled for the first quarter of next year promise a load of security enhancements, however it is without outbound protection enabled. this will most propably be a repeat of the situation with the Windows XP built-in firewall, where there were many functionalities missing.... The objective of a firewall is to provide comprehensive protection againsts threats, both inbound and outbound. With only inbound protection in place--even though you are protected from Internet-based attacks directed at your computer, any program, including malicious ones (viruses, spyware) can communicate data from your computer without restrictions. This is a dire situation as your personal information, business know-how or other critical data can leave your computer, bypassing the firewall's filters. This is also because antivirus, antispyware or other signature-dependent solutions cannot deter such attacks, as vendors have not yet assigned a proper fingerprint to identify the presence of a virus or spyware instance. Too often, the development process of the modern security industry is lagging the pace of malware writers
The important of Information security to business. by TT074302 · 2006-09-27 19:30 · Score: 1

The aim of the book is to develop an information security program, or strengthen an existing program, to ensure that all of the critical technology areas are covered. Nowdays, there are attacts on corporate information systems by hackers, viruses, worms, and the occasional disgruntled employee are increasing dramatically and making companies to invest more in information security. Hereby, information security manager should watch for the known vulnerabilities and continuously monitor their network products.Information security manager should know that,Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.
Security by IT074803 · 2006-09-27 19:39 · Score: 1

Security isn't just something you "turn on". Security is a mindset, a set of systems and practices that affect all aspects of your work environment. And implementing security practices--especially in an organization devoid of such--is a daunting task. Firewalls, Intrusion Detection Systems, and the like are only as good as the policies that govern them. The first step in implementing security is to define an information security policy.
The art of managing information security by TT074302 · 2006-09-27 19:45 · Score: 1

The art of managing is through;- 1)Timely obtained 2)Repeatable 3)Effective 4)Evaluate 5)Systematic Information Security is managed through;- 1)Monitoring 2)Risk assessment 3)Patching 4)Tracking (asset) 5)Coordination
eh? by RMH101 · 2006-09-27 20:45 · Score: 1

"I'm of the opinion that the user *must* come first - so maybe I'm fundamentally at odds with the basic premise of their work. But from 15+ years of experience with computers and I.T., I've become convinced that usability MUST trump security, or else you've wasted your money. The trick is to make things as secure as possible, without crossing the line and damaging usability/usefulness of the environment."

You're coming at this wrong. For large companies, yes, the users come first. But there are a great many different groups of users. For example, the usergroup A wants to implement X right now. X has some security holes that may potentially damage usergroup A, B, C and D's data. You need to look at the big picture.
It may well be that some app's been coded using a fundamentally broken (from a security point of view) architecture - it's usable, the users are loving it, but there's a hole in your network you could drive a truck through.
As for usability trumping security, I just don't understand what you're getting at here.
Yes, usable systems are, well, usable. Usable, but horribly insecure systems may be usable in the short term but completely hose your business in the long term - it's all about looking at the sum and then the parts.
Then vs Than by Builder · 2006-09-27 22:18 · Score: 1

then

than

At the very least, could book reviewers and submitters please learn the difference between these two words!
1. Re:Then vs Than by loimprevisto · 2006-09-28 04:04 · Score: 2, Funny
  
  Proper spelling/grammar on teh Interweb?! That's unpossible, you cant expect everyone to write that goodly!!!1!
  
  --
  Much Madness is divinest Sense --
  To a discerning Eye --
  Much Sense -- the starkest Madness
Security part 2 by FlipSyde+IT072186 · 2006-09-27 22:53 · Score: 1

security is in the mindset...a tight security can be created only by thinking like a criminal!! get a hacker to invent a security software! that may help :)
1. Re:Security part 2 by aminorex · 2006-09-29 15:13 · Score: 1
  
  Tight security is only feasible by thinking like a criminal. Pleasant drugs are criminal. Therefore, good security engineering is best done stoned?
  
  --
  -I like my women like I like my tea: green-
You are right! by sivablade · 2006-09-28 00:25 · Score: 1

Like any good organisation, management plays a vital role in the development and sustainment of the organization in the new modern era. In the software world, good management systems play a more vital role. The book gives a good insight to MIS and for those who are unaware of the inner working of the MIS, this book is a good start. I agree with the author's comment of systems administrator not doing much to protect the personal computers. Coming from an organization that values MIS, problems like virus attacks, spam, and frequent server problems often plague our systems. Why is this? Is it that the administrators are uncapable of achieving the minimum of what is required. I think they need to read this book and get some insight...what do you think. How is the MIS at your workplace??
who cares! we do! by sivablade · 2006-09-28 00:35 · Score: 1

who really cares of security? where does our emails go before coming to out inbox. You is tracing through them, or scanning its contents. Are you telling me that no one out there is monitoring information. Is it as secure as what they claim?
Security vs. Usability by King_TJ · 2006-09-28 02:09 · Score: 1

I agree with your first statement. Yes, a risk analysis is integral to setting up a new environment. But that should be a given. Any decent systems administrator is going to read up on the pros and cons of implementing a new package, or making a change to the network infrastructure. If the "word on the street" is, package A is really insecure or doesn't "play well" with package B without turning off some of the security features, then that's a huge red flag to avoid buying package A.

This also ties into the point I made in my original post. I think someone with a specfic skillset focused on computer security would be best utilized at the level of application development. These folks are needed to make sure that before a product hits the store shelf, it was coded properly, with security in mind. (Look at how many Windows apps are functionally broken for users unless you grant them full local "Administrator" rights on the PC first! That wouldn't ever have happened if security experts were working along with the developers.)

I simply feel that by the time you're talking about the "end users" of a computing environment, the users should come first. The security should have been integrated into the products *before* they even reached the hands of the customers. It shouldn't become a career getting paid to keep up with all the design flaws in commercial products and placing artificial restrictions on their use in an environment. The people doing that could put their talents to much better use if they were working "further up the chain". (EG. Fix a security hole in an app before it goes out the door, and thousands benefit. Secure it for a business after they buy it, and maybe only 10 or 20 people benefit.)
1. Re:Security vs. Usability by pmc · 2006-09-28 11:09 · Score: 1
  
  I simply feel that by the time you're talking about the "end users" of a computing environment, the users should come first.
  
  Nope - the assurance of the system comes first. You've seen what happens when users are put first - see Microsoft security flaws ad nauseum. Then you allow the users as much freedom as you think they should be allowed. I know that sounds arrogant but its not really - every freedom you give users has to be counterbalanced by some other security measure. Too much freedom and you cannot secure the system to the required level, too little and your users are unproductive.
  
  It shouldn't become a career getting paid to keep up with all the design flaws in commercial products and placing artificial restrictions on their use in an environment.
  
  That really isn't what it is all about. Disaster recovery, business continuity, physical security (where should the server room be, how should you get access to it? Where do the users use the system? Who else has access?). Data link - private/VPN. How good encryption (if any) should you use for data at rest and on the wire? Confidentiality/Intergity/Availability (or CIA) - which of these are you trying to assure? Application security - both in development and deployment of COTS are a part of it, but only a small part.
Protecting information by sivablade · 2006-09-28 02:18 · Score: 1

Today, most business leaders currently pay as little attention to the issue of information security as they once did to technology. But just as technology now stands higher on the chief executive officer's agenda and gets a lot of attention in annual corporate strategic-planning reviews, so too will information security increasingly demand the attention of the top team. In a networked world, when hackers steal proprietary information and damage data, the companies at risk can no longer afford to dismiss such people as merely pesky trespassers who can be kept at bay by technological means alone.
My comments on the book! by sivablade · 2006-09-28 02:35 · Score: 1

Security isn't just something you "turn on". Security is a mindset, a set of systems and practices that affect all aspects of your work environment. And implementing security practices--especially in an organization devoid of such--is a daunting task. I found this to be an excellent book in that the author obviously understands security. He's dedicated his life keeping privileged information safe. More importantly, this book is laid out in such a way that it will lead the uninitiated, newly appointed security expert at any organization through the process of implementing a security framework. Firewalls, Intrusion Detection Systems, and the like are only as good as the policies that govern them. The first step in implementing security is to define an information security policy. The author leads the reader through identifying business risks and creating an action plan to mitigate those risks. In addition to the expected "what does a firewall do, and how should you use it" type of information, the author does an excellent job cutting to the chase on a wide variety of security issues. He provides examples of how find the right people to implement your security framework, what types of systems might be required in your environment, and how to perform periodic penetration testing, to see if your security framework keeps the bad guys out. I really see this book being of great benefit to the newly appointed security expert, who is perhaps a bit overwhelmed with his/her new responsibilities. This book is an easy read, very interesting, and very useful for the individual responsible for all aspects of a company's security infrastructure.
1. Re:My comments on the book! by TT074317 · 2006-09-28 07:43 · Score: 1
  
  i also agree with you siva. this book is very good and gives us an excellent and clear example about the benefits and advantages of the security.. keep it up! :)
cheat by pk075843 · 2006-09-28 03:34 · Score: 1

Really??
Re:The important of Information security to busine by rajpatel32 · 2006-09-28 03:37 · Score: 0

Excellent comment, thank you!!!! _

at least people are now focusing on the main idea.
Nature, the ultimate teacher? by FlipSyde+IT072186 · 2006-09-28 04:38 · Score: 1

Security... today's prime worry. A naturalist perspective or view is needed for the information security personnel. Nature, the field we need to look at in order to fill those security gaps. Picture a spider web, isn't that a security web (firewall, scanning) which filters those fat bugs? So come on let's get back to basics!
1. Re:Nature, the ultimate teacher? by aminorex · 2006-09-30 03:39 · Score: 1
  
  So you're saying we need a fat chick to squirt goop on stuff out of her nether regions?
  
  --
  -I like my women like I like my tea: green-
works for me! by sivablade · 2006-09-28 12:40 · Score: 1

This book fits the bill for me!!. And it is enjoyable I have a number of other handbook style books - one that cost nearly six times more but was really a collection of articles written by a dozen different people (some with obviously conflicting views) bound under the same cover. What I liked: This book simply sets out the things I need to know about Organisations, Strategies and Audits then progresses into firewall design and security testing. And it is so funny - the cover is right this man does make security light going. What could be better: The guy is obviously technical so at the end some of it is a bit hard going - just I had to skip bits. But each chapter is laid out so that the chapter gets more complex at the end so this wasn't a problem. I would have liked more on Virus technology and Wireless security - especially as after work on Google, I understand that the fat-bloke was a leading researcher in wireless security Overall conclusion: Great.
a book as a guidance by sii074306 · 2006-09-28 16:36 · Score: 1

he makes some money by sharing his knowledge with us. we just need to thank for him for giving some guidance by buying that book.