Marcus,

With regard to your observations on "default deny" access policies, most corporations have many times the number of hosts you described in your example - and clearly you're aware of this. Managing ACLs are cumbersome for even a small network.

In America, where I have experience, there are insufficient employees within any organization with the skill and authority to manage a "deny all" network culture. Companies are continuing to thin their IT populations without reducing the services IT offers to the business community. IT is an expense, no matter how you try to spin it as a "business enabler." Copy machines are a "business enabler" but that doesn't stop the business from buying machines from the lowest and least capable bidders.

Additionally, taking away insecure services from company decisionmakers rarely happens. When large numbers of middle and upper management use America Online's client, wrapping the Cisco Security Agent around the client behavior is time consuming and disappointing. Now do it again everytime an upgrade is applied!

We have network activity that is too diverse and too few soldiers to protect it, yet our kings and queens demand open borders with Fort Knox security. In these circumstances, of course we turn to vendors who promise solutions to our problems, and of course we understand that they are all parts of a fruit cake of security. We just want more fruit than cake in this mix and hope the malware and active attackers don't find their way between the bits of teeth-breaking fruit to come out in the clear center where we've stashed those credit card numbers in cleartext (because ciphering all those databases and enabling applications takes too much time and resources and money to re-engineer and while sales are in the gutter and taxes on the rise and staff getting the axe no one is able to go back and do any more than apply bandages and duct tape and spackle to the Rube Goldberg contraption that makes money for the shareholders.)

So yeah, we buy a lot of junkware, and we have a "default accept" infrastructure, and to attempt to maintain a superposed secure-yet-open corporate network we stack all this together in some semblance of "layered" security, but no one really ever knows if the holes of one layer are completely covered by the solid bits of the cheese of the layers above and below it.

And then who has time to roll out two-factor authentication, while simultaneously being asked to audit everything in the company? Oh, and won't somebody think of the children (or the oppressed and discriminated and sexually squeamish?) We're also stuck managing the censorship server, approving exceptions to the overzealous "blocked" website list - or scoping out that pervert performing on company-time.

Bless the hackers for breaking it down before people are killed by subjugated computers. Whether the northeastern US blackout of 2003 was the result of malware or not is irrelevant. The fact that in the future, insecure systems that go *untested* and *unremediated* because hackers decide to call it quits and stop "annoying an entire planet" will serve only to expose us to deadly actions by anyone. Better we get this out in the open today, on systems where the only consequence is to annoy or perhaps lose folks' money.

As the computer-savvy generations rise to take control from the ignorant generations, the role of secure and well-designed computer architecture will mature. Until then, we'll be eating fruit cake for time to come.

wwward(a)pobox.com


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32029#32029