Wednesday, October 31, 2007

Process begets process...

"Time was when we could just re-cable the server ourself, and not have to pay some idiot $100 to move the thing", was heard across the room today in a large clients office, and oh did it ring true... however as organisations mature -> processes place a framework around work carried out and services are measured via uptime and other SLA's....no more adhocracy, only at the wiki level!

Measure.. hmmmmm.. that's a funny word in IT isn't it... 'MEASURE','MEASURE'...M-E-A-S-U-R-E

# measurement: the act or process of assigning numbers to phenomena according to a rule; "the measurements were carefully done"; "his mental ...
# standard: a basis for comparison; a reference point against which other things can be evaluated; "the schools comply with federal standards"; "they set the measure for all subsequent work"
# how much there is of something that you can quantify
# any maneuver made as part of progress toward a goal; "the situation called for strong measures"; "the police took steps to reduce crime"
# bill: a statute in draft before it becomes law; "they held a public hearing on the bill"
# determine the measurements of something or somebody, take measurements of; "Measure the length of the wall"
# meter: (prosody) the accent in a metrical foot of verse
# quantify: express as a number or measure or quantity; "Can you quantify your results?"
# have certain dimensions; "This table surfaces measures 20inches by 36 inches"
# musical notation for a repeating pattern of musical beats; "the orchestra omitted the last twelve bars of the song"
# measuring stick: measuring instrument having a sequence of marks at regular intervals; used as a reference in making measurements
# place a value on; judge the worth of something; "I will have the family jewels appraised by a professional"


So I text myself sometimes when particular thoughts cross my mind;

"First you need visibility/surveillance, and then accountability of packets, flows and data objects, then comes valuation of said data objects, services and supporting infrastructure... now we can have meaningful conversations about risk and IT security"

Hmmmmm... sampling, measuring, identifying.... what's your IT footprint? What's the last IT related report you looked at, what did it measure and what did it really say about your organisational IT footprint?

Monday, October 15, 2007

Some fun...










Was surfing here, http://xkcd.com/ and added it to my RSS feeds http://syndicated.livejournal.com/xkcd_rss/profile ;) Actually came from the FUNSEC mailing list but my mate Wade had sent me one of the comics before.

Monday, October 08, 2007

'Meta' or 'Metta' security....

Basically I'll let Mr. Bejtlich summarise from his 'Three Wise Men' of security, practically all there needs to be currently known about the state of play in and around the IT Security Industry and IT Security Risk areas. On the shoulders of giants and all that!

http://taosecurity.blogspot.com/search?q=three+wise+men

Dan and Marcus are definetly on my list, though I haven't really read this Ross Anderson guy, however Richard himself is on my list, along with Rob Thomas from Team Cymru.

On another note, to save you signing (or reading about signing up) for tonnes of bullshit, please find below a great 'Point:CounterPoint' from Bruce Schneier and Marcus Ranum. DRM/Copyright.. nah...

Erm, hopefully without getting in trouble and making others spend 5 minutes signing up to read the below, here it is in all it's glory.

Bruce Schneier

Point: To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of its operating system out of the box, but there is still a dizzying array of rules, options and choices users have to make. How should they configure their antivirus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on.

How is it possible that we in the computer industry have foisted on people a product that is so difficult to use securely, it requires so many add-ons? It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application--IM, peer-to-peer file sharing, eBay, Facebook--to make computers useful and enjoyable to the home user. At the same time, we've made them so difficult to maintain that only a trained sysadmin can.

And we wonder why home users have such problems with their buggy systems, why they can't seem to do the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.

At work, I have an IT department I can call if I have a problem. They filter my Net connection so I don't see spam, and most attacks are blocked before they get to my computer. They tell me which updates to install. And they're available to help me recover if something happens to my system. Home users have none of this support.

This problem isn't going to go away as computers get smarter and users get savvier. Next-generation computers will be vulnerable to different attacks, and next-generation attack tools will fool users in different ways.

This isn't simply an academic problem; it's a public health problem. In the hyperconnected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam and attack other computers. We are more secure if those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is, what's the best way to get there?

I wonder about those who say "educate the users." Have they tried? It's unrealistic to expect home users to be responsible for their security. They don't have the expertise, and aren't going to learn. And it's not just user actions we need to watch; computers are insecure out of the box.

The only way to solve this problem is to force the ISPs to become IT departments. There's no reason they can't provide home users with the same level of support my IT department provides me, or a "clean pipe" service to the home. Yes, it will cost more, and require changes in the law to make this mandatory. But what's the alternative?

In 1991, Walter S. Mossberg debuted his Personal Technology column in The Wall Street Journal with the words, "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, it's doubly true when it comes to computer security.

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There isn't any other way.



Marcus Ranum


CounterPoint: I'm sure that many of the things Bruce points out about computers at some point or another applied to automobiles or any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot could go 75 miles per hour with no requirement for training, safety equipment or sobriety. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. Question is, do society's constraints make a difference, or does time cure these ills?

When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems every kid 8 and older is a Windows sysadmin. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. Bruce, I think the problem is not with all the home users--I think it's with the adult home users.

I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she's exactly the kind of user you're worried about--she clicks "OK" on anything, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPANET and BITNET. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things.

"Educate the user" is an old mantra in security, and its uselessness is one place where Bruce and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow.

Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand, completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop. Arguably, it already has--witness the evolution of handheld PDAs and centralized "no spam" managed free email services. The complexity of the Internet and software administration is getting absorbed into the IT infrastructure of Google, Yahoo and MySpace.

I'm not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse Web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument-land a jet fighter.

Bruce, when you and I are old coots sitting on the porch, you'll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of the hill. Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

Saturday, October 06, 2007