tag:blogger.com,1999:blog-29245024.post7588269372001401350..comments2023-06-17T07:57:18.521-04:00Comments on Andy, ITGuy: Why IT doesn't really get securityAndy, ITGuyhttp://www.blogger.com/profile/09237512546845510001noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-29245024.post-50438133435625485342007-06-20T11:09:00.000-04:002007-06-20T11:09:00.000-04:00I'm going to blatantly self-promote my blog becaus...I'm going to blatantly self-promote my blog because I have a post explaining my feelings on this exact issue<BR/><A HREF="http://securethink.blogspot.com/2007/03/fools-to-left-of-me.html" REL="nofollow"> here</A>.<BR/><BR/>Essentially I agree that It guys are always in crisis mode - if they aren't then you are overstaffed. Their eyes should always been on "availability" too. It is the Security Department's job to focus on security.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-29245024.post-13289346553095726202007-06-16T07:35:00.000-04:002007-06-16T07:35:00.000-04:00Interesting post...the thing is, though, it misses...Interesting post...the thing is, though, it misses a significant point...why do IT guys think this way? They do, because that's what they're paid to do. Think about it...who manages their time, gives them direction, and has a significant effect on scheduling their day? <BR/><BR/>Senior management.<BR/><BR/>If senior management made a requirement for security...say, if an intrusion occurred and senior management started asking some really tough questions about why it occurred and what happened during the response, things might be different.<BR/><BR/>Security guys are seen by the IT guys (in many cases) as having just a hammer and seeing everything as nails. This is a reaction to working in an environment where security is an afterthought, at best.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-29245024.post-74154905963201203972007-06-13T15:14:00.000-04:002007-06-13T15:14:00.000-04:00Thank you for the reply. eEye does make some nice ...Thank you for the reply. eEye does make some nice software.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29245024.post-52959899252520958982007-06-13T11:02:00.000-04:002007-06-13T11:02:00.000-04:00Excellent post, and you hit a few nails in it. I'd...Excellent post, and you hit a few nails in it. I'd post more, but I think stuff like this is best discussed further over a beer or two. :)Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-29245024.post-16705294298045914392007-06-13T07:32:00.000-04:002007-06-13T07:32:00.000-04:00Cypherbit, I currently am running Blink from Eeye....Cypherbit, I currently am running Blink from Eeye.Andy, ITGuyhttps://www.blogger.com/profile/09237512546845510001noreply@blogger.comtag:blogger.com,1999:blog-29245024.post-79472595216571880212007-06-13T01:47:00.000-04:002007-06-13T01:47:00.000-04:00I'm curious to know which HIPS do you have on your...I'm curious to know which HIPS do you have on your system(s)?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29245024.post-25202807351539622882007-06-12T20:15:00.000-04:002007-06-12T20:15:00.000-04:00Sounds to me like they need a lesson. When they h...Sounds to me like they need a lesson. When they hand you their thumb drive next time, kindly thank them, put it in your pocket, and take it home :)Andrew Hayhttps://www.blogger.com/profile/02019230621654493911noreply@blogger.comtag:blogger.com,1999:blog-29245024.post-78639419782138453942007-06-12T16:34:00.000-04:002007-06-12T16:34:00.000-04:00I don't know. I used to be of the opinion that se...I don't know. I used to be of the opinion that security in all aspects – for instance, the USB drive example – was of the utmost importance. Further, that instilling this attitude across an organization was important. As I’ve had the chance to be involved with lots of different IT organizations – from small shops, to enterprise shops, the thing I’ve come to accept is that we’ll never convince a material number of stakeholders to “think like us”. We can do training events, “interview” stakeholders, and put up security-conscious posters in the hallways. But, we’re not going to have a material impact. I think that’s just being realistic. In fact, if we did have a material impact, it would probably be net-negative for our profession, and our economy – not to mention our businesses. <BR/> <BR/>Take a step back further with me… do you really think that “thinking like us” is a good thing? Does it make your life better – not knowing if you can trust anyone? Does it – in the macro sense – when applied across an entire organization – contribute in a net-positive way? If every group had a “defense-in-depth” (DiD) in mind when they did things like… share USB drives, contribute in staff meeting, help someone with their PC, or write scripts to automate stuff… (There’s a DiD component to each of those interactions) it would make life impossible. Productivity would decrease dramatically, and even Europe would start outpacing the U.S. in productivity gains. <BR/><BR/>I think security has a place – indeed an important place – as a component to your business strategy. I think a best-effort approach is important. Monitoring, and metrics – all good. And I’ll always be happy to contribute where I think it’s relevant or net-positive for me to interject some DiD-fu. Security at the perimeter– important. Relative security in terms of network infrastructure - using VLAN’s, ACLs, putting stuff that makes sense into DMZ’s, adding WAPs to guest segments, doing IDS/IPS where appropriate, AV, anti-spam, patching, maybe even antimalware and HIDS – all good things! Teaching users to try not and share USB drives… ok, but that’s pretty much where I stop. I’ll recommend that users not share USB drives. I’ll explain the risks; I’ll even come up with some numbers to support the direction. But I won’t evangelize or preach DiD to our employees and stakeholders without management consensus – because that’s a war that can’t be won. I won’t go around and lecture about how they shouldn’t to “X”, or “Y” because I’ll develop a perception-issue. I think that the “security” vision is set from the top-down, and executed from the bottom-up. If there’s no top-down direction, we execute a “best-effort” approach. <BR/><BR/> If I can’t make it seamless, or reasonably seamless, then I don’t do it. The questions that I always ask myself are this… “Will doing X increase revenue?” “Will doing X result in an anyway arguable net-positive result for the business?” “Is this a mostly real-risk, or a mostly imaginary risk? – or Is it likely that this vulnerability will exploited?” “If it were exploited, what would be the cost to recover”? If exploited, will there be a hard-dollar value associated with the loss? Or is all softnumbers, and productivity-based calculations? If the later, then it’s a no-go for my organization.Anonymousnoreply@blogger.com