Among their conclusions are:
- Firewall have gotten more complex over time
- Firewall administrators routinely make errors
- Firewall administrators are not following best practices
- Firewall training materials do not focus management practices
Firewall Rule (Mis)management
The ISSA released an interesting study on Firewall rule (mis)management[1].
Broken Windows – System Administration and Security
A recent study confirms that the ‘Broken Windows’[1] crime theory might be valid. As reported in the Boston Globe:
“It is seen as strong scientific evidence that the long-debated "broken windows" theory really works—that disorderly conditions breed bad behavior, and that fixing them can help prevent crime”[2]
Does the theory also apply to system administration, security, servers, networks and firewalls? How about application code?
I grew up knowing that you always cleaned and washed your car before you took it to the mechanic. Why? Because if the mechanic saw that you had a neat, well kept car, he’d do a better job of fixing it. I’ve seen that in other places, like when you visit someone with a neat house versus a messy house, or hang out in a messy, smoky bar with cigarette butts and peanut shells on the floor, or a gated community versus a slum. Let’s assume that it’s simply part of human nature.
Quoted in the Boston Globe article:
""One of the implications certainly is that efforts that invest in improving the environment in terms of cleanliness may actually help in reducing moral transgressions because people perceive higher moral standards," said Chen-Bo Zhong, assistant professor of management at the Rotman School of Management at the University of Toronto.”
Higher moral standards reduce moral transgressions. Disorderly conditions breed bad behavior.
Does the theory apply to applications, servers, networks and firewalls?
- If system administrators, developers and network administrators consistently and carefully maintain a system or application by tracking down and cleaning up all the little bugs, error messages and minor day to day cruft will the system perform better, have higher availability and better security?
- If a firewall rule set is organized, systematic, structured instead of random and disordered, will the firewall administrators pay closer attention to the firewall and be less likely to cause an error that results in misconfiguration or unavailability?
- If a server has applications and data neatly organized instead of scattered all over the file system, if the root directory has only system files in it instead of random leftovers from past projects, will the sysadmin pay closer attention to configuration, change management and security?
- If and applications code base is organized, structured, and generally neat, will the code maintainers do a better job of maintaining the code?
I speculate that this is true, based only on observation and anecdote.
[1] Broken Windows, George L. Kelling and James Q. Wilson, the Atlantic, March 1982
[2] Breakthrough on Broken Windows, The Boston Globe, Feb 8 2009
Via: The "Broken Windows" Theory of Crimefighting, Bruce Schneier
Cafe Crack – Instant Man in the Middle
Things like this[1] make me wonder how we’ll even get some semblance of sanity over the security and identity protection of mobile users.
There are things that corporations can do, like spin up VPN’s:
Update (07/06/2012): The FBI warned on this type of attack..
[1] Cafe Cracks: Attacks on Unsecured Wireless Networks, Paul Moceri and Troy Ruths
Cafe Crack, provides a platform built from open source software for deploying rogue access points and sophisticated Man-in-the-Middle attacks.They make it look easy:
Using only a laptop, the attacker can sit unassumingly in a public location to steal personal information. Perhaps the most alarming aspect of this demonstration is that it was accomplished with only a laptop and existing open-source software.I knew it could be done, but I thought it was harder than that.
There are things that corporations can do, like spin up VPN’s:
However, the good news is that it is just as easy to protect oneself against Man-in-the-Middle attacks on an unsecure wireless connection. By using DNSSEC or VPN services, the user can bypass the attacker and keep their information secure.But for ordinary users?
In the end, it is up to the user to be knowledgeable and safe around unsecure technology like public wireless.I think ordinary users don’t have a chance.
Update (07/06/2012): The FBI warned on this type of attack..
[1] Cafe Cracks: Attacks on Unsecured Wireless Networks, Paul Moceri and Troy Ruths
Subscribe to:
Posts (Atom)
-
Cargo Cult: …imitate the superficial exterior of a process or system without having any understanding of the underlying substance --Wikipe...
-
Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and...
-
In The Cloud - Outsourcing Moved up the Stack [1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing ...
