NetSec Letter #15, 23 December 2001
2001 Letter to Santa from a Security Administrator

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

I found this letter. Marked simply, “Santa, North Pole,” when I read it, it brought tears to my eyes.

Dear Santa,

I’ll not trouble you with the “been a good boy” stuff. You know and I know the truth. Nevertheless, in the event that you’re into grace above justice this year – as you most certainly have been in the past – here’s what I want this year.

  1. Management who understands that security is an enabler, an investment, a cost of doing business. They understand this about computer equipment and Internet access. They understand it when the marketing folks want to rent an Elvis impersonator for a conference in Vegas. Why is it so difficult to justify network security? They pay for locks on the doors, don’t they?
  2. Management who doesn’t just pay lip service to security. Sure, they say they are serious about security. But, I couldn’t even get training for the firewall they gave me to run. I posted the following note to the “firewalls mailing list.”
    Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!

    To which someone replied, in part,

    Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this and I have a truck supplied by my company. I have a driver’s license for an automobile, but I’ve never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.

    Yeah, I got the point. But my management still doesn’t.

  3. Management serious enough about security to back me up even when the person wanting to go around me is an executive vice president. Most of the users are easy. Yes, I’m lying, Santa, but at least I can bluff or bully most — okay, some — of them. Not the Big Bosses, though. And they are the ones who can’t figure out how to use encrypted e-mail, or who forget their passwords, and decide they are too important to follow the security rules. They are the ones who lose their notebook PCs in conference rooms, too. And they don’t use disk encryption anymore. They can’t get it to work.
  4. Time to do vulnerability assessments. Santa, whenever they ask for something new, it is a service they “cannot do without” and it is needed immediately. I would just like a reasonable “heads up” for some basic security analysis. No, I don’t know of any big security problems with allowing streaming video into our network. But, I have never seen a business requirement for this service from anyone in our company. It’s just one more hole in our defenses.
  5. Users who give me requirements instead of solutions. I know they are trying to be helpful, Santa (okay, who am I kidding), but it just slows things down when somebody tells me, “I need the firewall to pass NetMeeting.” If they tell me what they need (inexpensive teleconferencing, for example), I possibly can meet the requirement, and do so securely. (And when they tell me “I need to access my hotmail account while at work,” I know they are running a business on the side.)
  6. Users who know “wants” from “requirements.” I guess I am asking a lot here, but it wasn’t too long ago that it was only children who couldn’t tell “wants” from “needs.” Now, it is a societal condition. And it is epidemic. Don’t they know that if I waste time trying to meet all of their wants, some of their legitimate business needs may go unmet? Or in meeting some *want*, I may leave the network unnecessarily vulnerable? It’s not that I enjoy telling them, “no,” and being hard-nosed. ( Ha… sorry… couldn’t keep a straight face, Santa.)
  7. It’d be terrific, Santa if I could get all of my network servers upgraded to XP. I hear it is practically error free. You know? And super secure. Boy, all my problems would be over if I could just get them all upgraded ASAP. Sure would be able to sleep easier, day or night.
  8. Finally, I’d like money to buy intrusion detection systems all over my network. I’m not sure what I will do with all of the data I log, and I don’t even know how I will use the systems themselves, but I think they are really cool. Kind of like those sensor things on the Star Ship Enterprise. Oh, right though… that wasn’t real.

So, Santa, that’s it. I hope it is not too much to ask. If so, I’ll settle for what I asked for last year that you didn’t get me: a high speed Internet connection from home.

Promotions, Self and Otherwise

My October column ( http://www.avolio.com/columns/13.html discussed network security lessons learned in light of September 11. The November 3 issue of World Magazine (at http://www.worldmag.com/world/issue/11-03-01/opening_1.asp) had an interesting (non-technically oriented) editorial echoing some of my observations and concerns about what the “bureaucratic response to all this” has been since then. Read the whole editorial, which says in part, “A few more than 40,000 people die every single year on our nation’s highways. If our government responded with the same bureaucratic overkill to that terrible fact as it has to the threat of hijacked airplanes, you couldn’t drive from Philadelphia to Washington without encountering identification checkpoints, breathalyzer tests, and a 20 mph speed limit.”

My November column ( http://www.avolio.com/columns/14.html) drew these comments from networking expert, consultant, and writer Lisa Phifer (Vice President of Core Competence, http://www.corecom.com/).

The new frontier for VPNs is the wireless LAN. Sniffing WLAN traffic is incredibly easy — particularly since war drivers are finding that somewhere around 70% of WLAN access points don’t even have WEP turned on, and a motivated hacker can crack WEP with shareware and a $100 NIC, so that other 30% is protected only from casual eavesdropping.

“As wireless public Internet access spreads (airports like DFW and DEN are now covered throughout) here’s another great opportunity for bad guys to spy on other travelers. Juicy corporate secrets, sure. But that’s boring. They are after meatier stuff, like IPs, cleartext logins/passwords — stuff to use later to hack the corporate net.

When I see a column from Lisa on this, I’ll point it out.