In an article posted this afternoon at Forbes, Dr. Ullrich compares network professionals who disable unneeded features with slumlords. He starts comparing a Bible for Section 8 landlords with network security. For those who don’t know, Section 8 housing is housing for the poor that is government subsidized. So, I guess he is also comparing users to the residents of Section 8. I suppose I should refrain from commenting about Section 8 residents as I may offend. Security analogies rot when examined too closely.
The Section 8 Bible according to Ullrich has the following rules
1. If the law doesn’t require it, remove it.
2. Don’t fix it. For example, if interior doors aren’t necessarily required and can be removed.
I don’t see network and security professionals acting in this way for the most part. From his conclusion it seems that Ullrich has decided that security is Dr No and the no fun light (traction control in cars) rolled into one. And we get more cliché about the business need being paramount. The Titanic had a business need to run on time too. But now I’m using my own cliché.
I fear that what he describes is more like checkbox or audit based security. Security starts looking like the result of a proposal from the lowest bidder. The bidder asks how can we minimally match the requirements of “security”. And an auditor comes through to verify that you’ve minimally matched the requirement. But security hasn’t occurred. This is another security fallacy but it is not the principal of least privilege.
“Restrictive network policies hinder creativity”
Seriously? This old chestnut? We’ve heard this for years. It is particularly bad at Universities. Although repeated worm infections and system reloads have led to greater security controls even at the University.
I’m reminded of a time when a VP demanded access to Second Life so the business could appropriately promote itself. Dear reader, when was the last time you even thought of Second Life. Allowing access to that sure kept the doors open.
Someone in a business magazine writes an article about game theory’s influence on business. Suddenly the “games” catagory can’t be blocked any more.
Right. We’re hindering creativity.
I agree there is no reason to knee-jerk block social networking. But I’ve found that when you don’t have a handle on things originally, you can never put it back in the box. When webmail first became popular many companies didn’t allow any POP or IMAP access to email. That email wasn’t scanned. Or needed for business. So it was blocked. But webmail circumvented that. We could have immediately blocked those sites until we felt they could be accessed securely. But we let them be. And now they are open forever.
But in general, shouldn’t the blocking social media comments be directed to Human Resources? Often they are the owner of the blocklist and worried about people’s use of time. In this slum-network example, HR is the Mom. Go talk to your Mom about accessing social media. I’m just the slum owner.
“Removing Features Hurts Security”
The author’s example is IPv6. Reporting that Microsoft doesn’t test patches on systems with IPv6 disabled. Fine. How about we block it with the personal firewall. Does any security person really think it’s a good idea for the users to be the first ones playing with IPv6? They get that 6-4 translation set up and complete bypass the firewall and other security measures.
But what about the people whose job it is to play with IPV6, you might ask. Isn’t that what labs are for? It doesn’t need to be in production before it is ready.
“They’re going to do it anyway”
“They Wont Want to Work For You”
I feel like I”m arguing with a teenager.
In summary, I think this article would have worked better without the slumdog analogy. It inflammatory. It doesn’t match what follows. It takes work and money to secure networks. The slumlord is avoiding both.
What do you think? Let me know if the comments below.
And if you are Johannes Ullrich and you are reading this. Please dont kill me with your mind.