On another security note... (of sorts)

• Previous message (by thread): On another security note... (of sorts)
• Next message (by thread): On another security note... (of sorts)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dobbins, Roland wrote:

>
> The thorniest issues aren't technology-related, per se; they're legal
exposure (both real and imagined), regulatory concerns (both real and
imagined), antitrust concerns (both real and imagined),
management/marketing/PR concerns (largely imagined), skillset
shortages/concerns (very real), customer perception concerns (both real
and imagined), and so forth.

Legal issues for a situation like this can easily be resolved however
the problem boils down to who is willing to become "case law." There
aren't many laws surrounding this topic. Antitrust and regulatory issues
too can be trumped when businesses collectively conclude that its for
the best interest of everyone. I believe that too many perceive this
imaginatory 'brick wall' coming down on them and often take a step back
choosing to do nothing then coming back and wondering why they're
businesses are now listed on DataLossDB.org.

Customer perceptions and concerns very real? I'm curious to know what
your perception is. As a customer *somewhere* down the line, if a
business slash vendor told me they were working with other businesses to
deter/minimize fraud, I'd be all for it. I can think of any situation
where I would come around to a grinding halt: E.g.: From Starbucks:
"We're working with SEARS to minimize theft/fraud..." me: "OMG No! You
better not work to make sure thieves don't get ahold of my data!" I
didn't follow that glaringly big "very real." If you mean on the bits
side of things... E.g. (myself working at an ITSP) My competitor: "We're
working to make an attacker database to defend ourselves from
toll-fraudsters, care to join?" ... Me: "No way in hell I'm going to
defend myself because you're seeing more attacks. Thanks but no thanks!"

Maybe naivete on my part, but I don't see how customers would have
issues if the scenario/framework was concisely explained.

> The second tier of barriers are those surrounding trust.  It's
basically a sociological analogue of 'the PKI problem'.

Anyone here not peering, raise your hand?! Sure there will be trust
issues, those too can be overcome. A "vetting" process could be
implemented and selected individuals can be "voted" in or out. We
"trust" NANOG to select the best individual to moderate this list. At
the granular level, I don't know anything about the moderator, yet I
trust my peers knew enough to give them a vote of confidence. Should I
go back and and create a dossier on the moderator or should I trust my
peers. I think for the most part it's a "so far so good" situation. Life
goes on until otherwise noted.

> Technology issues form the third set of barriers.  Yes, they're real
and they're important, but if we could wiggle our noses a la Elizabeth
Montgomery and make all the technology issues go away, the other sets of
issues would still preclude any kind of universal solution, for some
value of 'solution'.

Here is a semi-universal solution... Throw an N-Byte field into the TCP
protocol and label it "dirty" the dirty bit. The dirty bit would be for
a combination of a host and or other identifier which came into the
radar N amount of times. The dirty bit would automatically get populated
into every routing table X amount of time where if a "dirty bit" tried
to route traffic from ANYWHERE, after some time, even its own TCP stack
wouldn't let it route out.

Even the collaboration of about 12 major companies (MS, Cisco, Juniper,
Sun, IBM) would likely cut the likelihood of attacks to probably in the
teen percentile.

> That's one of the reasons why a lot of people who make sweeping
generalizations and recommendations about 'cyber-this' and 'cyber-that'
tend not to have a good grasp of even the fundamentals - they aren't the
folks who do the actual work, they don't know who does the actual work,
and they often don't know anybody who knows somebody who actually does
the actual work.  They often don't even know that actual work is taking
place, or what it entails, in the first place, because the actual work
takes place out of the limelight.

Acknowledged... Still I believe a framework
(anti-malicious/pattern-matching/dirty-host) is long overdue. I also
believe far too many people take the "NIMBY" approach and make excuses
as opposed to solutions. This is seriously evident based on the amount
of responses to something which is (I perceive to be) mission critical.
Moreso than arguing over the pros and cons of NOT doing anything.


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

• Previous message (by thread): On another security note... (of sorts)
• Next message (by thread): On another security note... (of sorts)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]