IT security people sleep well

Crist Clark crist.clark at globalstar.com
Thu Jun 3 18:24:53 UTC 2004


Sean Donelan wrote:

> Survey: Despite dangers, IT personnel sleep well
> By Bill Brenner, News Writer
> 27 May 2004 | SearchSecurity.com

I liked this quote,

   About 43% of respondents said they're using the Secure Shell (SSH)
   protocol to protect data, secure remote access, and perform network
   management. But while the current SSH2 is considered to be
   significantly more secure, nearly 45% said they are continuing to
   mostly use the older SSH1 protocol. A cause for greater concern,
   according to the surveyors, is that 54.9% said they continue to
   configure their network devices via Telnet, which is known by
   network security experts to be severely vulnerable to intruders
   because it sends data as clear text and offers only weak password
   authentication.

   For Marc Orchant, head of communications at VanDyke, that was one
   of the biggest shockers, especially since it costs little or nothing
   to upgrade these protocols.

It "costs little or nothing to upgrade?" Does it seem a bit
disingenuous for a remark like that to come from someone at a company
that sells a commerical SSH distribution?

Anyone from the real world knows that there are real and significant
costs to convert an existing infrucstructure with telnet, the
r-protocols, ftp, and all of their unencrypted, unauthenticated friends
to SSH and SSL secured connections. Yeah, maybe the software licencing
costs are little to nothing, but the administrative overehead of
converting all of your other scripts and software, plus lots and LOTS
of retraining of admin and users can be very expensive or simply
infeasible.

And just one more quote,

   "I guess the message here is that ignorance is bliss," said Steve
   Birnkrant, chief executive officer of Amplitude Research Inc.,
   which conducted the survey on behalf of Albuquerque, N.M.-based
   VanDyke Software Inc. "What most surprised me was the general
   sense of complacency. Much has been written in the media about
   security issues, and this makes me wonder if people are listening."

Why aren't people listening? I think Mr. Birnkrant needs to go way
back to old childhood fables and have a refresher on the boy who
cried, "Wolf!"
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387



More information about the NANOG mailing list