Thursday, May 17, 2007

State of Denial - Part 1

I want to call out that my use of IPS in my first big post (Dedication) wasn't the best. Since we all know that IPS is part of intrusion systems. Sorry about that but I was really trying to expand the definition of information processing because humans are as if not more important than the machines. I hope that never changes or has not changed.

State of Denial is an ongoing series to cover what I see as a lack of organizations acceptance of risk of operating information processing systems. This condition of not accepting or fully understanding risk is simply put “Bad Mojo”. I have seen too many time where folks who have been designated “system owner or operator” just don't have the skills to understand the information that is being given to them to make truly informed choices. I actually feel for them because they are given this duty with no real training and background. I wouldn’t say that they aren’t intelligent. Mostly the opposite! These are smart folks who have been “stuck” with duty and forced into work they probably would have never chosen on their own.

So the first thing we in the Information Security industry need to do is ensure that we always push for the best risk based cost effective recommendations. This is going to take some time but as a profession we just can’t push things that keep customers on the "hamster wheel of pain". I honestly think that there are those out there that would prefer that folks stay on the hamster wheel of pain. Many years ago at a conference in Maryland I got to see the patch management vendors show off their latest software.

Last year I took a look at some of the latest offerings and to be honest the sell hasn't changed and they have tacked on some more bells and whistles but beyond automating a labor intense task I don't see much value. After all is SUS free? And if you’re running Linux or Unix how often are you patching? (Always for critical issues) But if you have a box that you couldn't patch for whatever reason wouldn’t you shut it down, park it in a (virtual) firewalled VLAN with Intrusion Detection to keep an eye on it, or accept the risk with a clear understanding.

Or would we? This is the core of being in denial. System owners and operators that I have worked with simply say "Not my problem" and "We don't own it" so it doesn't affect us if the box or network segment goes "poof". You might notice that I like the word "POOF". It reminds me of cartoons I watched as a kid like the Rocky and Bullwinkle show. The part I love the most was the science dog dude and his kid side kick.

I just don't get how system owners keep getting away with pretending that they can deny risk!
We are all born with risk ahead, next to, and behind us. I think that next to death and taxes that risk should be added to that duo to form a trio of misery. Risk isn't fun (Unless you are like me and an adrenaline junkie) and as I have outlined before with regards to modern data processing systems we don't fully understand the risk because of the human factors.

When we close our eyes, pretend something isn't there at all, or make the choice to be ignorant of it, the fact is that what we fear and don't understand is still there waiting for the moment to control the next step. After all when a system owner chooses to live in the State of Denial the end effect is a complete loss of control while maintaining the illusion of control.

But that's all it is.... an illusion.

No comments: