On Mon, 6 May 2002, Peter Gutmann wrote: > Ron DuFresne <dufresneat_private> writes: > > >I think it does a disservice to the info-sec community to have people tasked > >as 'security' aware administrators constantly doing thes rollouts and > >constantly turning to the term VPN as a way to expand their security perimiter > >and policy compliance outwards from the corporate boundries to the homes of > >endusers and their cars on the road without a full understanding of what they > >are doing to the defensive perimiters and security policies they are trusted > >to maintain. > > In my experience the admins frequently are well aware that the VPNs-everywhere > approach is unsound, but are overruled by management or accountants. Those who > persist in raising concerns are labelled as troublemakers/non-team-players, and > sidelined in future decision-making. Scare stories of this kind, while > unfortunate, may be one of the few ways of getting through to management. It's a problem of security often not being driven from the top down. and this is so common in the IT industry. Some have pointed out how security might well be a finacial burden some companies are well willing to forego and bearout the costs of compromises, seeing it as a cheaper alternative. Many are failing to understand that security can have an impact upon how their corporate image can be percieved to those they do business with, and to their direct customers. And this has been one of the problems faced by a number of very visable security related companies. Image/reputation is a cost sometimes well above what can be bornout by the beancounters and upper managment. HIPPA is going to have a very substantial impact on companies, if the government can find a way to rally audit and validate compliance. So many of those that will have to comply are so far out in left feild of securely managing the information they are tasked with we might well see a fallout of major attempts to get under the security umbrella on par to the issues faced with trying to deal with y2k issues a few years back. Still, alas, few of the admins I've had the 'pleasure' of working with really paid security a serious visual at all. Most seem to have forgotten more then they retained. Afterall security begins with the OS install. And most seem to have learned far too many bad habits to sometimes even adapt when an organization does push security in a top down manner. Often they are more difficult to bring 'onboard' then the end users. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 09:48:35 PDT