[Full-Disclosure] CyberInsecurity: The cost of Monopoly
Paul Schmehl
pauls at utdallas.edu
Sun Sep 28 18:20:28 BST 2003
--On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop
<kdebisschop at alert.infoplease.com> wrote:
>
> Crunchy shell, soft-chewy insides?
>
I don't think "we" as a "security community" have even begun to tackle this
problem. We talk about it, but who is *really* doing it? For example, if
you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS
for Unix, CIFS, or something similar. Who is really looking at how to be
secure while still allowing internal machines to talk to each other?
Certainly none of the above protocols qualify as secure.
When a machine is problematic, for whatever reason, the usual reaction is
"block it at the firewall". But that doesn't protect that machine from
*other* internal machines. It only protects it from the outside. Oh, you
might have a firewall that cordons off accounting from the rest of the
enterprise, but *inside* accounting, you still have the "soft, chewy"
problem.
I haven't really seen anything that addresses this problem, and I'm not
aware of anyone who is working on solving it. For the most part security
thinking is still in the middle ages - build a castle with moats and outer
defensive rings, and staggered entrances to make it hard for the enemy to
get it. Once he gets in, what does current security thinking offer? Not
much.
What we need is a paradigm shift in thinking.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Full-Disclosure is hosted and sponsored by Secunia.