fred avolio's musings

I was re-reading one of Marcus Ranum’s posts to the firewall wizards mailing list. (Tue, 20 Jul 2004 23:49:40 -0400). It was terrific. Jump to it and read it.

Plain and simple stuff that — if people do them — will reduce risk.

I had a similar list in an Advanced Firewalls class I taught for N+I and a “Tools and Techniques” class for CSI. I got bad reviews in the Advanced Firewalls class. Maybe I am a crummy teacher, but of course I don’t believe that. I think the students really want some really neat-o, cool devices to run, hand-held thingies to try, and something that was wireless as well. But few of those things help as much as sticking to the basics. And they don’t like to hear it.

I just saw an article via Security Wire perspective. If this ugly URL isn’t broken, you’ll again find a whole bunch of brilliant stuff that a very few of us keep pounding on. See this ugly URL. So, I wondered how do we ever get people to listen when they really, really do want magic or priest-craft?

Marcus pointed out that “‘my words, like silent raindrops fell…’ – nobody wants to hear it.”

A few days later, I was looking for somethings to help an IT manager to start looking at security policies. I found a number of old articles on my site, for example:

• Security on the Internet.
• Best Practices in Network Security.

What is the matter with the industry? Those old papers are still accurate. They are still useful. They are 5 years old. Should I be concerned that we’re not growing up and moving on? The old, simple, basic things still work and are still needed and are still ignored.