LINUX SECURITY --- December 05, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters -------------------------------------------------------------------------- ------ HIGHLIGHTS * Convincing the suits of the importance of being secure -------------------------------------------------------------------------- ------ Educating Executives By Rick Johnson Your firm is on the hot track to stardom riding a revolutionary idea. Moving forward with the company's business plan, suddenly someone asks an executive, "Are you secure?" Sure, they understand security's necessity; however, your average executive envisions security as a box to check on a list rather than an in-depth ongoing process. I am not necessarily belittling the executive team as they are a vital part of the organization -- remember, they knew enough to hire you. Well, if you haven't already battled through this subject with the executive team, expect a phone call. Here are examples of the types of questions you are sure to face at some point in your security endeavor. Of course, each answer you give surely will spawn even more queries. Q. What will it take for our company to be 100% secure? (This question is almost laughable, except that it is asked far too frequently.) A. Unfortunately, a state of 100% security is impossible; uncontrollable factors, such as new vulnerabilities or disgruntled employees, always materialize. Realistically though, a state of 95% is possible; however, that other 5% is virtually impossible without locking the entire company in a vault and filling it with cement. Q. Why do we need a dedicated staff to handle security? Once things are locked down, they will not have anything to do. (This question shows someone who does not grasp the concept and importance of a security department.) A. So, once the doctor gives a patient a clean bill of health they never need another checkup? Patients still need to visit multiple types of doctors to keep their body in perfect running order. Security is the same. Your staff handles daily maintenance of the security systems; as well as, the response team to deal with emergencies. Q. Firewalls and intrusion detection systems are quite expensive. How do we justify such an expense when it will not generate any revenue? (This one will most likely come from the Chief Financial Officer) A. While it does not directly generate revenue, security does help keep revenue from falling. Imagine what would happen if the customer credit card database was stolen. Once this information hit the news wires, how many customers would cancel? Or worse, sue for damages? Lets not forget the sales department's fun trying to convince future potential clients that it was an isolated event. Security provides confidence in the company; you cannot put a price on that. Ideally, your executive team will have past security experience but, realistically, expect to spend half your time fighting for those necessities every solid company requires. Of course, isn't that part of the fun? About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. -------------------------------------------------------------------------- ------ ADDITIONAL RESOURCES Is Windows now playing catchup to Linux? More on Win4Lin, XFree86, and the rumor http://www.itworld.com/jlw/linsec_nl/lw-2000-11/lw-11-penguin_4.html Real hackers go to Usenix An informal look at the Usenix 9th Security Symposium http://www.itworld.com/jsw/linsec_nl/swol-11-2000/swol-1117-security.html Tapping on the walls Learn to think like your attacker http://www.itworld.com/jsw/linsec_nl/swol-11-2000/swol-1117-buildingblocks .html -------------------------------------------------------------------------- ------
<<attachment: winmail.dat>>