NetSec Letter #16, 1 February 2002
Nothing has Changed

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

On 23 Oct 2001, I wrote a column in response to the September 11 terrorist assaults (http://www.avolio.com/columns/13.html ). This will be the last time I mention it directly in a column (probably - "never say never"). Over 4 months after the initial attacks, we still finding writers use these words: "On September 11, everything changed forever." My premise is, on September 11, (almost) nothing has changed. I will apply this, as I did in my previous piece, to network security.

September 11

Do we now change date references, as we do in relation to the time of Christ (B.C. -- Before Christ, and A.D. -- anno Domini)? No, of course not. And no one that I have heard of has suggested that. As much as we might think, "everything changed forever," what do we really mean? Is the world a less secure place now than before 9/11? No. Did the attacks somehow make some of us, or all of us, more vulnerable to attack? No. Did the terrorists discover a new, never-before-imagined attack mechanism? No, not really. Most of us -- for a time -- woke up to the true state of our vulnerability. We also glimpsed a new level in the depth of human depravity. Our level of comfort was shaken. Our false sense of security was shaken.

There is a security axiom (see http://www.avolio.com/papers/axioms.html ) that states, "A false sense of security is worse than a true sense of insecurity." (If you've never heard it before, I claim to have made it up.) Though we might not like it (and we usually do not), it is far better to know your enemy, to know your vulnerabilities, and to know what you can and cannot do about them. It is better than blindly going through life thinking everything is well and will always be well. When we believe the lie, we are in a way in bondage to the lie, to the false sense of security. This relationship between truth and slavery brings to mind the biblical verse carved into the wall of the CIA's original headquarters building: "And ye shall know the truth and the truth shall make you free." Though taken completely out of context, from John 8:32, it is nevertheless relevant.

"Just because you feel safe, doesn't mean that you're secure"

A few years back, when I worked for TIS, I was in a meeting with people discussing marketing messages against a less secure, but more popular, competitor (business axiom: "Everyone thinks they can do marketing"). Harvey Weiss, president of the division, came up with this quote. Though we never used the tag line, the truism stuck with me (and led to the above-mentioned axiom).

With our heads, we would never say we prefer a false sense of security. We would never say we prefer the bliss of ignorance. With our hearts, or emotions, we often make it clear that this is exactly what we prefer. For network security practitioners, this is inexcusable. But managers or officers of a company are equally at fault. Some of you project the message "what I don't know won't hurt me." Or, perhaps more accurately, "you asked for a [firewall or IDS or VPN or whatever the last purchased security device was], and I bought it -- why are you coming back for more? Doesn't it work? Did I waste my money?" So, you communicate a "don't ask, don't tell" philosophy. And you remain in bondage to the lie of false security.

Some next steps

The first thing to do is to ask yourself whether you project this attitude. If you find that you do, repent of it. This implies a change of attitude and direction, as well as communicating to others your error. Next, learn what you can about your true state of insecurity. If you are a manager, rely on and trust your security engineers. For practitioners ... well you probably are doing these things already. First, keep current on vulnerabilities (I have some suggestions in an old column I wrote for searchSecurity.com, called "Keeping current on security issues (while still having a life)," at http://www.avolio.com/columns/stayingAlive.html . Next, run vulnerability tests against your servers and gateways. And finally, assess the results of vulnerability testing against your security policies and procedures (and make changes accordingly).

Am I saying that the security postures of all of our networks are as bad as they can be? Not at all. But most of us have a sense that we are more secure than we really are. I suppose some might be in better shape than they suppose they are. What is needed is a true sense of security and insecurity. Nothing has changed since September 11, except for our complacency and false security. With respect to the security of our networks and computers, we need not wait until a horrible security event occurs to learn the truth.

Promotions, Self and Otherwise

When I teach, I sometimes mention "The Morris Worm." I've stopped being disappointed at how many people have forgotten it (or never learned about it). Recently, Ron DuFresne wrote a terrific editorial explaining why we should care and posted it to the Firewall-Wizard's mailing list. You can find "The Morris worm to Nimda: how little we've learned or gained," at http://sysinfo.com/iworms.html .

I just recently found a commentary written by friend and security consultant Jody Patilla, in the August 6, 2001 edition of E-Week. It meshes nicely with my thoughts in this column. Find "Security Must Be Baked In, Not Painted On," at http://www.eweek.com/article/0,3658,s%253D1867%2526a%253D11401,00.asp

The long awaited second edition to Sendmail: Theory and Practice I co-wrote with Paul Vixie is finally out. (Long awaited by our publisher, anyway.) See http://smtap.al.org/ . They make great gifts. You will there find directions for ordering. Use the code SEND02 to get a 20% discount. (Wait... that negatively impacts my royalty. Forget I mentioned it.)

What every firewall administrator should do on the 8th day. Though the title -- "Your New Firebox: Day 8" -- is WatchGuard-centric, this should be useful to any firewall administrator. http://www.avolio.com/columns/Day8.html .

I continue to teach under the sponsorship of CSI. I'll be teaching "Internet Security Tools and Techniques" in Phoenix in February. I'll teach "Firewalls and VPNs" in February. A complete list of my teaching schedule (which I add to weekly) is at http://www.avolio.com/calendar.html . A list of my courses is at http://www.avolio.com/CourseDescr.html . I'm available to teach privately for your organization.