From: "Marcus J. Ranum" Subject: Re: Infosec Accountability - 2 cents more To: Firewalls@GreatCircle.COM Cc: spaf@cs.purdue.edu, vin@shore.net Date: Thu, 05 Mar 1998 01:06:52 -0500 Message-Id: <3.0.3.32.19980305010652.00692490@mail.clark.net> In-Reply-To: <199803040938.BAA21250@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lines: 151 Vin McLellan writes: [...sensible stuff...] > Gene Spafford wrote: > [...more sensible stuff...] I *KNOW* you guys have been around long enough that it won't embarrass you to say the truth we all know and have been dodging for years: THIS ISN'T A TECHNICAL PROBLEM IT'S A MANAGEMENT PROBLEM. Technical solutions, be they concrete (firewalls, IDS', whatever) or procedural (policies, best practices, audits, etc) are not worth their weight in politician's promises unless they are implemented and supported by good management that is funded and motivated to see the job done right. We've all seen hard-working and clueful folks in the trenches trying to Do The Right Thing and failing because they were unsupported by management. Either because management is clueless or careless or ineffective. Ignorance, apathy, and lack of resolve are equally deadly. And all too common. The whole Pentagon thing is a joke. Most security folks who have been around the block a few times have had run-ins with DOD security. I'd be shocked if any of you were shocked by this shocking revalation. My capacity for shock ended the time when a Major at the Pentagon told one of our sales guys that the only way he'd believe he needed a firewall was if I hacked into his network before his eyes. I don't think our sales guy relayed my response.* (Also, my Kung Foo is no good; I don't hack) Security guys bang the drum of accountability - constantly. At a meta-level, what I think is necessary is accountability for bad management, and that's not something that the Government (or most of the private sector) has ever been very good with. Vin's question - "how do you create accountability?" is the key. The answer is simple: Accountability comes from the top based on information that filters up from the bottom. What that means is that the folks in the line of fire have a duty to make sure their management understands is there are any issues that management should understand. If the folks in the line say nothing and sweep the problem under the rug instead of going up the chain of command, it's their problem if there is later an "incident." If management is told and refuses to deal with a problem, then it's management's problem. At that point, senior management doesn't necessarily need to know the details, but only that there was a issue, and that the manager dealt with it. If it later turns out that the manager was wrong, enlightened senior management SHOULD know to deal with the manager, not the folks in the line of fire. Usually that's not how it happens, though. But, believe it or not, there are businesses in the world that are not mismanaged. I don't think there are any governments that are not mismanaged. What's ironic is that I was actually in the armed forces for a while. They taught me about the chain of command while I was doing the low crawl at Ft Dix, eating sand. They said "if you got a problem, make it the Sgt's problem. if he can't solve it, he'll make it the Captain's problem. etc. but if the Sgt says it's your problem, it's YOUR problem, you got a problem with that?" -- what happens with security is that a lot of folks don't even realize it IS a problem. Auditors need to make it their problem. Teachers need to make it their problem. Hackers are making it their problem. When I was a consultant, I had one guy approach me about doing some work for them, to audit their firewall and whatnot, and they explained that they had Booz-Allen in last year and Booz-Allen wrote them a huge list of recommendations and they wanted me to look things over. I asked how many of Booz' recommendations they had taken. "Uh, none." What I guess needs to happen is for that guy's boss to be fired. Or, if the guy's boss had told his boss about the problem, for his boss to be fired. SOMEPLACE, someone had been told there was a negative report and had done nothing about it. That person should be fired if they ever have a security breach. So, back to our friends at the Pentagon. Perhaps someone in the line of fire told their boss "we should secure this better." If they didn't, they deserve to be canned. What kind of network manager responsible for defense systems would be so stupid? Not with my taxpayer's dollars, please! If their boss didn't tell his boss and try to get things changed, then his boss should be canned. If the boss did tell his boss, and the boss^2 didn't do anything, can them, too. Janet Reno is talking about spending massive amounts of taxpayers money to start some cybercrime center nonsense. I'll tell you how to make a FIRM STEP in the right direction, Janet, and it's free and it'll even save us money. Fire the person in charge of information technology for the Pentagon. Fire the entire chain of command** of that organization, right down to the network cabling. Leave that. The cable obviously isn't broken. Next, cut that cable. DON'T TRY TO "SEND A MESSAGE TO THE HACKERS" -- SEND A MESSAGE TO THE MANAGERS. But I'm just fantasizing out loud. :( To me, the most fascinating security experiences I have - the ones that really make me drop my jaw - are the ones where perfectly rational people try to NEGOTIATE a security solution. It goes like this: Person #1: "We should put some security in." Person #2: "But we're a university!" person #1: "We still should do something. How about a firewall?" Person #2: "Arrrr!! ACADEMIC FREEDOM!" Person #1: "How about a firewall that isn't very tight? Let's say, it lets through 5% of the packets?" Person #2: "90%!" Person #1: "How about 40%, surely that's resonable?" Person #2: "I'll settle for 50% but I get to pick them!" Person #1: Sometimes it's fun to remind these players that since the hackers aren't party to the negotiation, they may not feel bound by the genteel agreement #1 and #2 just struck. Having seen this drama played out repeatedly, its amazing that people feel things like firewalls are worth having at all. The firewall's not the problem, here. This is a management problem. Whoever #1 and #2 worked for should have made a decision for them and not taken any guff about it (and been prepared to lose their job if the decision was wrong). Oops accountability again. No, not "accountability" - "leadership" Anyhow, Vin, you're right, accountability is essential. But it's something that comes from principled leadership - not from external auditors and standards. Not even from peer pressure. I think I just realized why I am growing cynical about security. :( "The only way to solve bad management is to become it." mjr. (* "By that logic, Sir, I don't think you should be allowed to buy any tanks until AFTER the first incoming round frags your sorry ass.") (** Hopefully, this would include my old friend the Major who is probably a Colonel by now) -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr