Realizing That You Have a Problem

Once an organization reaches a certain size, you end up with a situation where separate groups are responsible for firewalls, IDS, anti-virus, etc.  Often these groups will not share a common chain of command.  Eventually, you may find yourself on a conference call similar to this (note, the names and protocols have been changed to protect the guilty.)

Alan the Intel Guy: “Based on law-enforcement’s reports, the group is using NFS to compromise systems.”
Betty from Vulnerability Assessment: “We’re scanning for running NFS daemons, I’ll shoot our report over to you.”
Alan: “Pat, do we have an IDS rule to detect NFS sessions crossing the perimeter?”
Pat, in IDS: “Let me check…”
Gene in management: “Shouldn’t the firewalls be blocking NFS?”

At this point Alan starts Googling for a LOLCat that says something like: “Defense in Depth: you’re doing it wrong.”

Illustrating the Problem to Technical People

Repeat after me:

“AV signatures are reactive”

“IDS signatures both false-positive AND false-negative”

“Your regularly-scheduled firewall maintenance doesn’t always go so regularly-scheduled.”

Putting it Into Terms Your Boss Can Understand

Earlier this week while I was piggybacking into the building behind a couple of co-workers, I overheard a bit of their conversation about a show they had watched on TV the previous day.  It was likely Dr. Phill or something.  An otherwise perfect couple was having marital difficulties whenever something important was accidentally sent through the washing machine.  One blamed the other for not emptying their pockets while the other counter-blamed because they didn’t check the pockets before running the wash.

The solution: do both.

At this point, the wise manager will observe: “but isn’t this a wasteful duplication of effort?”

So you must counter: “it’s a small price to pay (by automated processes I may add) to make certain that your Rolex doesn’t go through the wringer.”