From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Mon May 27 2002 - 09:37:18 MDT
On Monday, May 27, 2002, at 02:56 am, Samantha Atkins wrote:
> True that it is a threat. True that many of us, even not in the
> security community, have grasped the possibilities long ago. But even
> if you convinced the IT community, exactly how would you defeat all
> possibility of this kind. As I am sure you are aware, there is no such
> thing as full secure system. You can raise the bar significantly
> though.
Actually, most of the threats are easy to fix. People just don't know
or don't care. It is impossible to have a perfectly good system. We
have to keep implementing security measures as we learn about them. The
failure would be, as in this case, when there are known problems that
aren't being fixed.
>> The IIS vulnerability, e-mail executions, webpage exploits, Nima and
>> Code-Red examples discussed in this paper are all Microsoft specific.
>> Microsoft has already launched a campaign to claim that they have
>> revamped security and are now the premier security platform. Managers
>> have already dismissed these threats as being solved by Microsoft.
>
> Oh! This is sad, really sad. Sometimes I wonder if there is
> intelligent life on earth, or at least in IT management. :-)
I do too. The sad truth is that it is cheaper and easier to wage an
advertising campaign instead of revamping major software products. Most
people observing Microsoft's recent security initiative can't really
detect much change. They seem to be spending more time and money
telling people that they are doing security than actually doing anything.
>> Of course, security professionals know that they are not. While
>> security professionals applaud this new analysis of the threat, I
>> doubt most IT managers would read such a technical paper.
>
> If they aren't able or into reading such a "technical paper" then
> precisely how are they quealified to be an IT manager? Do we have to
> put on our own worms that monitor systems and install significant
> safeguards?
Very good question. Whether this is the Peter Principle or the Dilbert
Principle, there seems to be a trend in management that believes you
don't have to understand what you are managing. Managers typically are
not technology experts. I don't understand how this can be, but they
focus more on accounting, advertising, business and Enron Tactics rather
than being really knowledgeable about the technology.
I think most of us here can tell horror stories about working for
clueless bosses who had no technical understanding of what they were
managing. "Dilbert" is funny because it is a parody of real business
realities. It is not a funny imaginary world. We all live in Dilbert
World.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:14:24 MST