Friday, April 03, 2009

Read Ranum’s Anatomy of Security Disasters

If you will read one article on security today (and, in fact, this whole week), read this: “Ranum's Rants - The Anatomy of Security Disasters” (here also in PDF and here in slide form)

The piece is fun to read (especially if you are fond of saying “EPIC F.A.I.L.” :-)) and is full of lines which promise to be useful and insight for the next…let’s say… 30 years :-)

Just quotes:

“So, what’s going on? We’ve finally managed to get security on the road-map for many major organizations, thanks to initiatives like PCI and some of the government IT audit standards. But is that true? Was it PCI that got security its current place at the table, or was it Heartland Data, ChoicePoint, TJX, and the Social Security Administration? This is a serious, and important, question because the answer tells us a lot about whether or not the effort is ultimately going to be successful.” [A.C. – it was PCI DSS, actually, and not the breaches. The later can be “it-won’t-happen-to-us”’ed away easily]

“I’m very skeptical of the notion that "Risk Management" has any value beyond the butt-covering obviousness of having made an attempt.” and later “If you accept the argument I am making so far, perhaps I can convince you that "risk management" is a fiction that plays into the disaster-cycle.” and even “Ultimately, risk management is a numbers game; you multiply a wild-ass guess by a fudge factor. Worse, the potential cost of failure is estimated in as a factor, too. So you're trying to balance an unjustified estimate of cost of failure against a wild-ass guess multiplied by a fudge factor.”

“The difference between Alan’s viewpoint (other than that security practitioners are ‘whiners’) and mine is that he appears to believe that anything worth doing, can be done safely. Or, at least, with controlled risk.”

“Computer security hasn’t been tagged with an epic failure, yet. So far, computer security has "merely" been blamed for things like billions of dollars of losses. In its simplest form, the problem with computer security is that (like most risky propositions) it's easy to simply not worry about it as long as "nothing has gone wrong, yet."”

“I describe that as having happened in the past tense because it's important to emphasize that the computer security disaster has already happened - we simply have not yet reached the end of the sequence of events that started being put into motion in the mid 1990s.” [think about this one!]

“The reality gap comes into play when the executive decided to shop the idea around: he asked for this thing to be done securely, and got a resounding "no" from the security group, but a "yes" (it can be done, but not securely) from the web group. All he hears is the "yes" and when the whole thing blows up a year later, his memory will be that he asked if it could be done safely, but someone lied to him.”

“A few years ago, when a friend and I were discussing this problem at a conference, he said, "Yeah, but what should we do about it?" The only answer I can honestly give is: "The wrong decisions got made 15 years ago and now it's too late to go back and un-make them." “

“Remember: every fatal skydiving accident is that diver’s first fatal accident.”

“Do not allow management or clients to believe that they can do dumb things in safety, and do not hide behind bogus probability guesses.”

… but you MUST read the whole thing!!


UPDATE: fun comments to it can be read here.

Dr Anton Chuvakin