On Tue, 06 Jul 2004 10:10:30 CDT, Willem Koenings <isec@xxxxxxxxxx> said: >> (Jason Coombs said:) > > Anyone with a truly complex security problem knows that it is hopeless > > to ever really control many computers in the presence of many people. > > You have no choice in a complex situation but to let things happen that > > you think are beneficial to you (the vendor installing patches, in this > > discussion) and find a way, after the fact, or periodically, to confirm > > that the end result was in fact beneficial to you. > > Jason, i have to disagree with you. Security is not a technology, > security is a way of thinking (regards goes here to Schneier). And > when you start thinking in right way, then there is no difference > whatsoever whether the subject is home computer or large production > installation. > > And i have seen, in reality, uncounted time, in respected companies, > that after vendor specialist comes and installs updates/patches, system is > screwed. Yes, you have contracts, but company's image and face in > front of customers is everything. So at least here, in security list, > it is wrong to propagate the way that just sit and wait and let the > vendor came and fix all. The point that Jason is making, and that you're apparently missing, is that if you're a security geek in the trenches, you may *not* *have* a choice. He's not "propogating" - he's pointing out how things end up really working in large organizations. And failure to understand the *NON*-technical aspects of deploying anything is a guarantee of failure. It's the rare geek in the trenches at a large site that can play "wag the dog" and make security-related policy decisions. You need buy-in all the way up the org chart to the CIO, *and* the CIO needs to have the political clout to back you up if a change (even if it *IS* the Good and Right Thing To Do) pisses off the wrong Neanderthal manager over in Finance. For instance, I'm convinced a mass move to Mozilla would help our site's overall security. My manager would go along with me. But if I was to deploy Mozilla across the board, my posterior would end up with many sets of teeth marks on it, for things like: 1) Who ends up dealing with retraining costs? (And remember - just because YOU don't need retraining doesn't mean that the fiscal technicial (i.e. file clerk) over in Human Resources who gets upset when everything isn't EXACTLY THE SAME doesn't need retraining. Somebody will have to go over and explain "Yes, the URL box isn't EXACTLY the same, but that's still where you're going to be entering your URLS"... It may come as a surprise that some users can't even cope with the difference between Microsoft Office and OpenOffice... ;) 2) Who gets to go through the Help Desk's online Knowledge Base and see which articles are obsolete, and which need to be rewritten for Mozilla, and which apply either way? 3) Who's budget is going to pay for technician time for cleaning up when some very important user's bookmarks don't transfer 100% cleanly? And who gets to pay when it's somebody *not* important (even more of a concern for your survival in a large organization - if you shaft the departmental tech over in Billing, they will remember the 35 desktops they had to fix for you the next time you need a favor...) 4) Who gets to cover the budget for fixing all of the internal websites that have IE-specific cruft on them (or build and distribute a locally pre-packaged Mozilla that has PrefBar or other widget that allows spoofing the User-Agent: header - but see points 1 and 2 about training and documentation and support)? (Remember in your answer to allow for departmental and group servers that aren't under central IT control...) 4a) Anybody in a large organization who thinks that IT controls every single device on the network is severely deluded. No matter *how* fascist the site is about locking down MAC addresses on switches, and forcing all changes via group policy, and preventing users from having administrator rights on their own machines, there *will* be rogue machines on the wire (What? 30,000 users and you actually think you have *NO* users clued enough and independent enough to figure out how to do an 'ifconfig eth0 hw ether 00:00:de:ad:be:ef' or whatever the equivalent is for whatever they've installed? ;) To be fair, this sort of thing becomes an issue for *any* major change. For instance, the uptake of XP in corporate environments is a lot lower than Microsoft would like, mostly because all the cost-of-deployment issues often outweigh the ROI benefits of moving from W2K to XP. It's REALLY hard to get buy-in for a upgrade that will save $2M if the known costs are over $1M and you know the budget will end up growing... And it's an even harder sell for a security move, where you can't easily quantify ROI. I'm not "propogating" here either. It's a situation I wish were different. But I have to account for the political realities, and work towards the goals I would like to see deployed organization-wide, and recognize that I'm not going to get everything I want, nor am I going to get it anytime soon. I haven't gotten Mozilla on every desktop - but some people are starting to install it on their own, and the Help Desk and most of the web designers can at least spell Mozilla. Progress is made on alternate Thursdays...
Attachment:
pgp00015.pgp
Description: PGP signature