[dba-Tech] Bruce Green of Death

Jon Tydda Jon.Tydda at alcontrol.co.uk
Wed Sep 24 04:04:37 CDT 2003


> http://www.theregister.co.uk/content/55/32969.html
> Bruce Green of Death 
> By Tim Mullen, SecurityFocus <mailto:Thor at HammerofGod.com> 
> Posted: 23/09/2003 at 09:34 GMT
> Opinion We spend money, increase administration, and take away
> functionality. Is it any wonder that security people are so misunderstood,
> asks SecurityFocus columnist Tim Mullen. 
> 
> A friend of mine from Japan has been in the States about ten years now.
> Though her English vocabulary is better than many native speakers I know,
> she still has a pretty thick accent; sometimes it is hard to understand
> her cadence and structure-- particularly over the phone. 
> 
> A while back I gave her a call, and our chit-chat led into a discussion of
> the Japanese version of Windows 2000, which allows her to switch back and
> forth between languages-- in addition to lots of other cool stuff. We were
> talking about how her Thinkpad had dual character sets on the keyboard
> when the conversation shifted into problems she was having with some dude
> named Bruce Green. 
> 
> I had never heard of him before, but let her continue... Apparently, this
> guy would show up uninvited, and start messing with her. When she told me
> that Bruce Green appeared late one night in the middle of her preparation
> of a deliverable and caused her to actually lose something she had been
> working on by his interruptions, my male instincts kicked in and I said
> "Okay-- I don't know who this Bruce Green is, but you tell him that if he
> keeps on messing with you, he'll have to deal with me!" 
> 
> "What?" she said in a surprised tone. 
> 
> "Bruce Green..." I said; "Who is he?" 
> 
> I had to pull the phone away from my ear because of the laughter. The
> entire time, she had been saying "Blue Screen." 
> 
> I still laugh when I recall the conversation. I'm not making fun of the
> way any person or group speaks. In fact, looking back, my misunderstanding
> was analogous to the way clients, management, and even our own IT
> counterparts deal with us as security people. 
> We are successful when our bosses wonder what it is we do all day. 
> Many times, when we go to management and present the need for firewalls,
> gateway products, and patch management resources, they just hear, "I need
> more money and budget allocation." We go to IT Administration and present
> processes, topologies, and security configurations, and they hear, "We're
> giving you more work to do and no accompanying pay increase for the
> trouble." And we go to our clients and users with policies, best practices
> and guidelines, and they hear, "Doing it this way is going to make it
> harder to do your everyday job, and you won't really understand why." 
> 
> We spend money, increase administration, and take away functionality.
> Sometimes, we are even perceived as the bad guys within our own
> organizations. We are Bruce Green. 
> 
> To make matters worse, when it comes down to it, our success metric is
> inactivity. If we really do our jobs, no one notices. There are no hacks,
> no breeches, no worm infestations, no e-mail-borne viruses, nothing. 
> 
> We are successful when our bosses wonder what it is we do all day. 
> 
> Bad Thursdays 
> The recent slue of worms and viruses should be your redemption whether you
> got hit or not. Blaster and its variants, SoBig, and even this lame
> Microsoft Advisory "Swen" virus that's going around should give you the
> ammo to ensure that Corporate gives you the tools you need to meet what I
> think is the biggest challenge we currently face for Microsoft
> deployments: Patch Management. 
> 
> Over the past several weeks, we've seen many "Bad Thursdays." 
> 
> For those of you who have not been paying attention, Microsoft has been
> releasing vulnerability announcements on Wednesdays. On Thursday morning
> we come in and see just how bad the day -- or the rest of the week in some
> cases -- is going to be. My shop is pretty small, but even so, the barrage
> of patches has been difficult to deal with: RPC/DCOM. Office/VBA. RPC
> Update. 
> 
> Just when you get through patching everything, it's time to patch again.
> If you don't have an efficient method of analyzing released patches,
> determining overall risk, packaging and deploying updates, and auditing
> installation, then get one. The task of patch management is only going to
> get worse, and at some point, we're going to get hit. 
> 
> Whether we choose to use Microsoft solutions like SUS or SMS, or turn to
> companies like Shavlik for help, it is time we make our management, our
> customers, or whatever group we report to understand that the investment
> in Internet technologies does not end at the initial purchase-- we must
> have a proactive management system in place to ensure that we can
> adequately address the continued maintenance our systems and software
> require, just as we do with other assets like copiers and vehicles. 
> 
> We're security people-- not salesmen. But it is time we make management
> realize that we are not the Bruce Green they think we are, we are the ones
> who keep things running in the face of adversity; we keep the fleet on the
> road when everyone else is in a pile-up. 
> 
> A final note to the CEO's out there-- if it isn't already, security will
> become the second most important thing to your company; right there behind
> the product that makes you your money. Remember always that Silence is
> Golden: if you want things to say quiet, then give us your gold. 
> 
> SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software
> Architect for AnchorIS.Com, a developer of secure, enterprise-based
> accounting software. AnchorIS.Com also provides security consulting
> services for a variety of companies, including Microsoft Corporation. 
> 
Jon



The information in this e-mail is confidential and may also be legally
privileged. The contents are intended for recipient only and are subject
to the legal notice available on request from : webmaster at alcontrol.co.uk
ALcontrol Laboratories is a trading division of ALcontrol UK Limited.
Registered Office: Templeborough House, Mill Close, Rotherham, S60 1BZ.
Registered in England and Wales No 4057291
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://databaseadvisors.com/pipermail/dba-tech/attachments/20030924/ad7fc3f7/attachment.html>


More information about the dba-Tech mailing list