Jon Tydda
Jon.Tydda at alcontrol.co.uk
Wed Sep 24 04:04:37 CDT 2003
> http://www.theregister.co.uk/content/55/32969.html > Bruce Green of Death > By Tim Mullen, SecurityFocus <mailto:Thor at HammerofGod.com> > Posted: 23/09/2003 at 09:34 GMT > Opinion We spend money, increase administration, and take away > functionality. Is it any wonder that security people are so misunderstood, > asks SecurityFocus columnist Tim Mullen. > > A friend of mine from Japan has been in the States about ten years now. > Though her English vocabulary is better than many native speakers I know, > she still has a pretty thick accent; sometimes it is hard to understand > her cadence and structure-- particularly over the phone. > > A while back I gave her a call, and our chit-chat led into a discussion of > the Japanese version of Windows 2000, which allows her to switch back and > forth between languages-- in addition to lots of other cool stuff. We were > talking about how her Thinkpad had dual character sets on the keyboard > when the conversation shifted into problems she was having with some dude > named Bruce Green. > > I had never heard of him before, but let her continue... Apparently, this > guy would show up uninvited, and start messing with her. When she told me > that Bruce Green appeared late one night in the middle of her preparation > of a deliverable and caused her to actually lose something she had been > working on by his interruptions, my male instincts kicked in and I said > "Okay-- I don't know who this Bruce Green is, but you tell him that if he > keeps on messing with you, he'll have to deal with me!" > > "What?" she said in a surprised tone. > > "Bruce Green..." I said; "Who is he?" > > I had to pull the phone away from my ear because of the laughter. The > entire time, she had been saying "Blue Screen." > > I still laugh when I recall the conversation. I'm not making fun of the > way any person or group speaks. In fact, looking back, my misunderstanding > was analogous to the way clients, management, and even our own IT > counterparts deal with us as security people. > We are successful when our bosses wonder what it is we do all day. > Many times, when we go to management and present the need for firewalls, > gateway products, and patch management resources, they just hear, "I need > more money and budget allocation." We go to IT Administration and present > processes, topologies, and security configurations, and they hear, "We're > giving you more work to do and no accompanying pay increase for the > trouble." And we go to our clients and users with policies, best practices > and guidelines, and they hear, "Doing it this way is going to make it > harder to do your everyday job, and you won't really understand why." > > We spend money, increase administration, and take away functionality. > Sometimes, we are even perceived as the bad guys within our own > organizations. We are Bruce Green. > > To make matters worse, when it comes down to it, our success metric is > inactivity. If we really do our jobs, no one notices. There are no hacks, > no breeches, no worm infestations, no e-mail-borne viruses, nothing. > > We are successful when our bosses wonder what it is we do all day. > > Bad Thursdays > The recent slue of worms and viruses should be your redemption whether you > got hit or not. Blaster and its variants, SoBig, and even this lame > Microsoft Advisory "Swen" virus that's going around should give you the > ammo to ensure that Corporate gives you the tools you need to meet what I > think is the biggest challenge we currently face for Microsoft > deployments: Patch Management. > > Over the past several weeks, we've seen many "Bad Thursdays." > > For those of you who have not been paying attention, Microsoft has been > releasing vulnerability announcements on Wednesdays. On Thursday morning > we come in and see just how bad the day -- or the rest of the week in some > cases -- is going to be. My shop is pretty small, but even so, the barrage > of patches has been difficult to deal with: RPC/DCOM. Office/VBA. RPC > Update. > > Just when you get through patching everything, it's time to patch again. > If you don't have an efficient method of analyzing released patches, > determining overall risk, packaging and deploying updates, and auditing > installation, then get one. The task of patch management is only going to > get worse, and at some point, we're going to get hit. > > Whether we choose to use Microsoft solutions like SUS or SMS, or turn to > companies like Shavlik for help, it is time we make our management, our > customers, or whatever group we report to understand that the investment > in Internet technologies does not end at the initial purchase-- we must > have a proactive management system in place to ensure that we can > adequately address the continued maintenance our systems and software > require, just as we do with other assets like copiers and vehicles. > > We're security people-- not salesmen. But it is time we make management > realize that we are not the Bruce Green they think we are, we are the ones > who keep things running in the face of adversity; we keep the fleet on the > road when everyone else is in a pile-up. > > A final note to the CEO's out there-- if it isn't already, security will > become the second most important thing to your company; right there behind > the product that makes you your money. Remember always that Silence is > Golden: if you want things to say quiet, then give us your gold. > > SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software > Architect for AnchorIS.Com, a developer of secure, enterprise-based > accounting software. AnchorIS.Com also provides security consulting > services for a variety of companies, including Microsoft Corporation. > Jon The information in this e-mail is confidential and may also be legally privileged. The contents are intended for recipient only and are subject to the legal notice available on request from : webmaster at alcontrol.co.uk ALcontrol Laboratories is a trading division of ALcontrol UK Limited. Registered Office: Templeborough House, Mill Close, Rotherham, S60 1BZ. Registered in England and Wales No 4057291 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://databaseadvisors.com/pipermail/dba-tech/attachments/20030924/ad7fc3f7/attachment.html>