Just to add my two cents... The fact is that the cost in damages of a single compromise is usually far greater than the cost of implementing and maintaining good security. TJX is a golden example of that. On 4/13/07 11:05 AM, "Jamie Riden" <jamie.riden@xxxxxxxxx> wrote: > Hi Steven, > > I believe security of an organisation is orthogonal to the number of > employees/users and how savvy they are. It depends more on the will > and resources to secure the network properly. Two, corporations do > have many financial incentives to make sure they are secure - if they > are doing their risk analyses properly, they can see that. So, yes I > do expect them to fare better - a lot better - than ISPs. More > comments are in-line. > > On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote: >>> On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote: >>>> Is this in anyway surprising? I think we all know the answer is no. >>>> Many >>>> Fortune 500 companies have more employees than some ISPs have customers. >>>> Should we really expect differently? >>> >>> Yes! Off the top of my head: >>> >>> 1. Corporations should have more of an economic incentive to prevent >>> compromises on their internal networks. E.g. "TJX breach could cost >>> company $1B" - >>> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html >>> Now, a typical spambot will cost almost nothing compared with that, >>> but the point is you don't know the extent of the compromise until >>> you've examined the machines involved. >>> >> >> You list incentives but this doesn't mean I should really expect any >> differently. You are also equating a compromise into TJ MAXX servers for >> which details have not been given. I doubt and hope the same user that's >> an account for TJ MAXX and using e-mail isn't conencted or able to get to >> a server that processes credit card transactions. > > A compromise is a compromise and you don't know the extent until > you've looked at everything. If one of your machines is spewing spam, > how do you know it is also not leaking confidential data to a third > party? Any compromise has the potential to be *extremely* costly. > >>> 2. Corporations have a lot more influence over their employee's >>> behaviour than ISPs do over their customers. Customers can walk away >>> to a new ISP with minimal fuss if sanctions are threatened. >> >> Well this is true but you seem to be missing the point of the comparison. >> These are large corporations with tens of thousands (some more, some less) >> that are geographically dispersed across the countries. This isn't a >> small shop of 50 elite IT users. This is probably like most other places >> were 90% of the users can barely use Microsoft Word and Excel. Once >> again.. do I expect differently? No. > > There is no reason for an admin to let users compromise the company's > security. If the company cares about security, they can disable admin > rights, lock down the firewall and run an IDS. > > I can buy the argument that most companies don't care sufficiently, > but this is really orthogonal to the number and experience level of > their users. > >>> 3. Corporations can lock down their firewalls a lot tighter than ISPs >>> can. If my ISP blocked the way my employer does, I would be looking >>> for a new ISP. >>> >> >> Sure they can in some instances. How would locking down a firewall stop >> this e-mail from going out? Maybe you can lock down SPAM firewalls but >> that doesn't stop the root cause. You have 100,000 users at a Fortune 500 >> company with admin access to their Windows laptops. Are you going to >> block them form using the Internet and using e-mail? If not I am going to >> continue to expect them to keep getting infected. > > Block the infection vectors: screen email, http and ftp traffic. No > personal laptops on company networks. No admin rights as far as > possible. Monitor and react to new vectors and threats as they arise. > > Yes, I would disable people's Internet access - in fact all intranet > access too. My main interaction with Cisco kit to date is shutting > down Ethernet ports and re-enabling them after the problem has been > resolved. If there's an incident, the plug gets pulled until someone > has examined the machine, and if necessary reinstalled from known good > media. > >>> 4. ISPs don't own the data on their customer's computers. Corps very >>> much do own most of the data on their employees computers. Therefore >>> they need to worry about confidentiality in a way that ISPs do not. >>> >> >> Well usually corporations not only own the data on the machines, they own >> the computers themselves as well. You are equating a need and want for >> protection with what would really be expected. > > They have a financial incentive to look after their machines, so I do > expect them to look after them. An ISP has no such incentive to look > after their customer's machines. > >>> I used to look after security at a large-ish university and odd >>> activity would stand out because there the baseline was largely >>> 'normal' traffic. ISPs have little chance to detect 'odd' behaviour >>> because everyone is doing 'odd' things. Corps should only have a very >>> few 'odd' things happening on their networks and a single outgoing >>> portscan or IRC session are grounds for serious concern. (Assuming IRC >>> is forbidden by policy - if not, you can still profile the IRC servers >>> you expect to be talking to and those you don't.) It's not hard to >>> find infected machines at a corp. >>> >> >> Not sure last time you ever looked at XDCC/iroffer bots, but they can >> range from 10-50% .edu hosts. Universities are ripe for the picking. >> I've participated in UNISOG related lists and I know it's getting better >> and just like any organization it can very from location to location. I >> don't expect anything different here either. > > Yes, I've seen that. Having not worked at any of those particular > university, I can't comment on their setups. We immediately pulled the > plug on the occasional bots we had on our network. (If you're allowing > personal gear onto your network you will always get a few incidents.) > >> There's a field in most mail programs where you can enter in an >> SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that >> server. > > Not any networks I configure. You have to be internal, or you have to > authenticate - or no email. > > My favourite quote at the moment is: "there are people who will try > anything to secure their networks, except design them correctly, > control the access levels within them, segment their networks, > understand their traffic, and monitor things closely." - Marcus Ranum. > Securing a network is not a black art any more, it just requires a lot > of corporate willpower to implement a useful security policy. > > cheers, > Jamie
