NetSec Letter #15, 23 December 2001
2001 Letter to Santa from a Security Administrator
Avolio Consulting, Inc.
I found this letter. Marked simply, "Santa, North Pole,"
when I read it, it brought tears to my eyes.
I'll not trouble you with the "been a good boy" stuff.
You know and I know the truth. Nevertheless, in the event that
you're into grace above justice this year - as you most
certainly have been in the past - here's what I want this year.
Management who understands that security is an enabler,
an investment, a cost of doing business. They understand
this about computer equipment and Internet access. They
understand it when the marketing folks want to rent
an Elvis impersonator for a conference in Vegas.
Why is it so difficult to justify network security?
They pay for locks on the doors, don't they?
Management who doesn't just pay lip service to security. Sure,
they say they are serious about security. But, I couldn't even
get training for the firewall they gave me to run. I posted the
following note to the "firewalls mailing list."
Is there anybody out there that can help me get some
configurations right on our new Gauntlet firewall?
I have never configured a firewall before and have not
had training and this is very important to our company so
I am feeling the pressure here. Any help would be appreciated!
To which someone replied, in part,
Can anyone out there help me learn to drive an 18 wheeler?
I was hired to do this and I have a truck supplied by my
company. I have a driver's license for an automobile, but
I've never driven a big rig before, nor have I had any
training in one. It is very important to my company that
I get this right and I have to start a cross-country run
on Wednesday. Any help you other drivers can offer in your
spare time as you pass through will be greatly appreciated.
Yeah, I got the point. But my management still doesn't.
Management serious enough about security to back me up
even when the person wanting to go around me is an
executive vice president. Most of the users are easy.
Yes, I'm lying, Santa, but at least I can bluff or
bully most --- okay, some --- of them. Not the Big
Bosses, though. And they are the ones who can't figure
out how to use encrypted e-mail, or who forget their
passwords, and decide they are too important to follow
the security rules. They are the ones who lose their
notebook PCs in conference rooms, too. And they don't
use disk encryption anymore. They can't get it to work.
- Time to do vulnerability assessments. Santa,
whenever they ask for something new, it is a service
they "cannot do without" and it is needed immediately.
I would just like a reasonable "heads up" for some basic
security analysis. No, I don't know of any big security
problems with allowing streaming video into our network.
But, I have never seen a business requirement for this
service from anyone in our company. It's just one more
hole in our defenses.
- Users who give me requirements instead of solutions.
I know they are trying to be helpful, Santa (okay, who
am I kidding), but it just slows things down when
somebody tells me, "I need the firewall to pass
NetMeeting." If they tell me what they need (inexpensive
teleconferencing, for example), I possibly can meet the
requirement, and do so securely. (And when they tell me
"I need to access my hotmail account while at work,"
I know they are running a business on the side.)
- Users who know "wants" from "requirements." I guess
I am asking a lot here, but it wasn't too long ago that
it was only children who couldn't tell "wants" from "needs."
Now, it is a societal condition. And it is epidemic. Don't
they know that if I waste time trying to meet all of their
wants, some of their legitimate business needs
may go unmet? Or in meeting some *want*, I may leave
the network unnecessarily vulnerable? It's not that
I enjoy telling them, "no," and being hard-nosed. (
Ha... sorry... couldn't keep a straight face, Santa.)
- It'd be terrific, Santa if I could get all of my
network servers upgraded to XP. I hear it is practically error
free. You know? And super secure. Boy, all my problems would be
over if I could just get them all upgraded ASAP. Sure would be
able to sleep easier, day or night.
- Finally, I'd like money to buy intrusion detection systems
all over my network. I'm not sure what I will do with all of
the data I log, and I don't even know how I will use the
systems themselves, but I think they are really cool. Kind of
like those sensor things on the Star Ship Enterprise. Oh, right
though... that wasn't real.
So, Santa, that's it. I hope it is not too much to ask. If so,
I'll settle for what I asked for last year that you didn't get me:
a high speed Internet connection from home.
Promotions, Self and Otherwise
My October column (
discussed network security lessons
learned in light of September 11.
The November 3 issue of World Magazine (at
had an interesting (non-technically oriented) editorial
echoing some of my observations and concerns about what
the "bureaucratic response to all this" has been since then.
Read the whole editorial, which says in part,
"A few more than 40,000 people die every single year
on our nation's highways. If our government responded
with the same bureaucratic overkill to that terrible
fact as it has to the threat of hijacked airplanes,
you couldn't drive from Philadelphia to Washington
without encountering identification checkpoints,
breathalyzer tests, and a 20 mph speed limit."
My November column
http://www.avolio.com/columns/14.html) drew these comments
from networking expert, consultant, and writer Lisa Phifer
(Vice President of Core Competence,
The new frontier for VPNs is the wireless LAN. Sniffing
WLAN traffic is incredibly easy -- particularly since
war drivers are finding that somewhere around
70% of WLAN access points don't even have WEP
turned on, and a motivated hacker can crack WEP with
shareware and a $100 NIC, so that other 30% is
protected only from casual eavesdropping.
"As wireless public Internet access spreads (airports like DFW and
DEN are now covered throughout) here's another great opportunity
for bad guys to spy on other travelers. Juicy corporate secrets, sure.
But that's boring. They are after meatier stuff, like IPs,
cleartext logins/passwords -- stuff to use later to
hack the corporate net.
When I see a column from Lisa on this, I'll point it out.