Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Mason Schmitt)
2. Re: The home user problem returns (Mason Schmitt)
3. RE: The home user problem returns (Tina Bird)
4. Re: The home user problem returns (Mason Schmitt)
5. Re: The home user problem returns (Mason Schmitt)
6. Re: The home user problem returns (Marcus J. Ranum)
7. RE: The home user problem returns (hermit921)
8. RE: The home user problem returns (Sanford Reed)
--__--__--
Message: 1
Date: Tue, 13 Sep 2005 14:47:59 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Paul Melson <pmelson@gmail.com>
Cc: "'Paul D. Robertson'" <paul@compuwar.net>,
"'Marcus J. Ranum'" <mjr@ranum.com>, 'Kevin' <kkadow@gmail.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>In fact, it's been my
> experience that using technology to solve a human problem is the hallmark of
> lazy or ineffective management. (i.e. "I don't have the clout/spine to take
> this to HR to get a policy against using streaming audio, so we'll use QoS
> at the border to keep audio traffic from drowning inbound web traffic...
> again.")
Yes! I know the manager you are talking about.
> However, Marcus said something in his latest rant (well, the one everyone's
> talking about - I picture Marcus ranting on a near-daily basis to someone
> somewhere) on this topic that I think is fairly accurate. Some of these
> problems will solve themselves in the near future. A new generation of
> "kids" is beginning to enter the workforce. These kids grew up with e-mail,
> web, IM, p2p and all of the crap that goes with it. Businesses stand to
> benefit directly from the new increase in collective understanding about the
> user end of technology. This includes many of the things that you would see
> in technology or data security awareness training programs that companies
> have spent the last decade developing.
Yup. This is the hysteresis I was talking about. Uptake is slow and
may span a generation, but it will happen.
--
Mason
--__--__--
Message: 2
Date: Tue, 13 Sep 2005 15:01:17 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Tina Bird <tbird@precision-guesswork.com>
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>It seems that there are two primary ways in which people
>>change. Either
>>they make a conscious choice to change prior to a problem
>>getting out of
>>hand (requires knowledge that there is an impending problem and
>>knowledge of how to avoid the problem) or they endure more
>>and more pain
>>until they are forced to look at the problem and finally make
>>a choice.
>
>
> i disagree. i don't know *anyone* who willingly makes a fundamental,
> significant change in their behavior without pain as a motivator. for
every
> example of your first category that you can present, i can *probably*
> demonstrate that the "apparent" change is really an example of the person
> behaving consistently with some deeper part of their personality, which
> isn't changing.
Whether you believe the first kind of choice exists or not doesn't
really matter. Perhaps I just like to believe that it does so that I
can have a bit more faith in the intelligence (latent intelligence?) of
humanity. :)
At any rate, I'm glad that you believe change due to pain is possible.
Just to be clear, I don't mean pain forced upon someone, I mean pain
that people experience as a result of their own action or inaction.
> so for me, the question is, how do we influence the *consequences* of
badly
> configured or managed machines - wherever they are, on corporate
networks or
> the internet - in order to create the change we want? how do we create a
> beneficial sort of pain?
It's already happening, we don't have to do anything to cause further
pain. What we need to do is to have solutions and answers ready for
when people start looking for them. That's why I said earlier that we
need to keep pushing forward, while still reaching out to see if anyone
is ready to listen yet.
> when i'm dealing with my relatives, i just change the configuration of
their
> computer when i'm visiting. that's not exactly a motivator, but hey, their
> machines are fully patched :-)
I do the same thing. I usually also follow up by telling my mom or dad
why I did it and take that as an opportunity to tell them a bit about
what other things they may want to think about to help protect themselves.
> it's why i'm so interested in NAC and NAP and other sorts of enterprise
> technologies that let me use network connectivity as the bribe to get
> machines configured the way i want them. i'm creating pain for the end
user
> by not letting them get to the web without doing what i want - the
height of
> security admin arrogance, i'm sure, but i try to be reasonable in my
> expectations.
Arrogant maybe. Intrusive probably. However, I still think it's a
great idea. That's kind of what I've been looking at except that I have
to be more reactive than proactive, so I'm planning to go with the leper
colony or penalty box idea.
--
Mason
--__--__--
Message: 3
From: "Tina Bird" <tbird@precision-guesswork.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 15:17:58 -0700
> > i disagree. i don't know *anyone* who willingly makes a fundamental,
> > significant change in their behavior without pain as a=20
> motivator. for
> every
> > example of your first category that you can present, i can=20
> *probably*
> > demonstrate that the "apparent" change is really an example=20
> of the person
> > behaving consistently with some deeper part of their=20
> personality, which
> > isn't changing.
>=20
> Whether you believe the first kind of choice exists or not doesn't
> really matter. Perhaps I just like to believe that it does so that I
> can have a bit more faith in the intelligence (latent=20
> intelligence?) of
> humanity. :)
good point. and is it intelligence or wisdom? hard to say.
> At any rate, I'm glad that you believe change due to pain is possible.
> Just to be clear, I don't mean pain forced upon someone, I mean pain
> that people experience as a result of their own action or inaction.
if i force the pain upon people based on their actions or inaction, does
that still count? cos they're mostly not volunteering for it...
> I do the same thing. I usually also follow up by telling my=20
> mom or dad
> why I did it and take that as an opportunity to tell them a bit about
> what other things they may want to think about to help=20
> protect themselves.
to some extent, though, that's audience dependent. my dad is always very
interested in what i've done and what he needs to know himself, because =
he's
very curious about computers, and he likes to understand how things =
work. my
mom, on the other hand, really *doesn't* want to know.
which is another way of saying, i suppose, that it's only the choir, or
potential chorists, who will *ever* listen to us. at least without the =
pain.
> Arrogant maybe. Intrusive probably. However, I still think it's a
> great idea. That's kind of what I've been looking at except=20
> that I have
> to be more reactive than proactive, so I'm planning to go=20
> with the leper
> colony or penalty box idea.
carrot, meet stick. stick, meet carrot :-)
p.s. disclosure: i'm security architect for infoexpress, a company that
produces one of these endpoint enforcement systems...i joined them after
surviving blaster at stanford, and deciding that endpoint enforcement =
was
going to change the universe...yeah right...=20
--__--__--
Message: 4
Date: Tue, 13 Sep 2005 15:34:23 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: Brian Loe <knobdy@stjoelive.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>> When enough people choose to smoke, they are placing an unnecessary
>>> burden on the public medical system, thereby degrading it for everyone
>>> else.
>>>
>
> Are they? Will they really? Afterall, considering the above, they are
> not likely to live as long and thus not going to be within the system as
> long term as the non-smokers.
> Are you certain of this, or is it just another version of overhype in
> this current time and space? Afterall, think about it a momnet, if I
> draw smoke directly into my lungs, and exhale and then you breath in a
> small fraction of what residule smoke is left, it is really more of a
> health issue for you in a secondary fashion then it was for me in the
> first intake?
I should have known better than to bring as touchy an example as this in
as an analogy...
You know what, I don't honestly know. I have seen reference to so many
studies, so much backlash against tobacco companies, (I also really
liked the movie "The Insider"...), that I have a hard time thinking it's
not true, but I really didn't come here to debate smoking. I'm sorry I
inadvertently pulled attention away from the topic at hand.
...snipped out my original description of my bot problem
> That sure seems like a long way about trying to limit the exposures that
> got and get you into the fixes you find in your ISP technical position,
> so, let me ask here again, would it not be simpler, and likely go pretty
> much untocinted to the vast majority of your users to just lont allow
> ports 135-139, 455, and 500 and the rest of the windws specifics from
> leaving your periniters and even actually eliminate it on your
> braodcasts within?
In a word... no. We have had all those filters in place for a long
time. They don't do dick when faced with a bot that comes in via a p2p
download or IM download that then sets up shop and decides to go after
your relay rather than trying to do direct-to-mx zombie spamming.
The bot problem is an insidious one and they are getting smarter.
Seems that would be far less work and likely with
> the ingress and egress filtering eliminate 90% of the issues that hit
> you and your user base, would it not?
It's not even remotely close to 90% unfortunately.
> and certainly without the support
> overhead of the vast majority of the plans and solutions you are trying
> to impliment, yes?
>
I'm going the extra distance (and I imagine all ISPs are going to be in
a similar boat) because I'm forced to and because I know that if I don't
start the hardening process now, I'm going to get burnt badly and have
to scramble for a solution later.
> My question to the rest of the list remains: how much would an ISP
> suffer if they invoked such policies?
Not at all. It's a great start to improving the situation - something
that all ISPs should be undertaking asap. It would sure help cut down
on the amount of worm traffic on the net. Take a look at dshield
sometime for an idea of how much those simple rules would help.
> and invoked such policies with
> the hitting those that request to be allowed to avoid those limitaions
> with a service expansion and extra hit from the pocketbook?
That's unlikely to happen. Why would someone pay extra for such a thing?
> Rather then
> give it all away under the basic pricing infrastructure, you make those
> that wish for the "addon risks" pay for it.
Again, all the things I'm talking about have little to no negative
impact on customers. In fact, here's the current list from our router
(my boss cleared this). There's no harm in disclosing this, because
anyone that wants to go after our customers can use any of the other
thousands of ports that are open - these are just to block the common
automated crap.
# Microsoft stuff
tcp 42 # WINS
udp 42
tcp 135 # epmap (blaster worm)
udp 135
tcp 137:139 # SMB
udp 137:139
tcp 445 # win2k SMB
udp 445 # not really necessary, but...
tcp 1433:1434 # ms-sql
udp 1433:1434
udp 1900 # UPnP service announcement traffic
# Worms/Trojans
tcp 1022:1023 # New Sasser Variant
tcp 2745 # Bagel/beagle backdoor
udp 2745
tcp 3127 # Mydoom
tcp 3129:3199 # Mydoom
udp 3127:3199
tcp 5554 # Sasser ftp
tcp 6129 # Dameware
tcp 9996 # Sasser backdoor
tcp 9898 # Dabber backdoor
tcp 27374 # some trojans
--
Mason
--__--__--
Message: 5
Date: Tue, 13 Sep 2005 15:36:59 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Dale W. Carder" <dwcarder@doit.wisc.edu>
Cc: Chris Blask <chris@blask.org>, "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>> Getting back to computers and the Internet... If these sorts of controls
>> and industry maturity were in place, home users wouldn't be such a
>> problem.
>
>
>> It just needs to mature.
>
>
> No, we as Wizards, need to step up to the plate to create demand for
> interoperable security measures. Sitting around and waiting for
> these issues to get fixed for us is working about as well as user
> education.
I agree Dale. That's how it's going to mature. It's going to take a
lot of effort.
--
Mason
--__--__--
Message: 6
Date: Tue, 13 Sep 2005 18:35:59 -0400
To: Mason Schmitt <mason@schmitt.ca>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] The home user problem returns
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com
Mason Schmitt wrote:
>I also don't think the user education problem is an epidemiological one
>either. To suggest that ignorance to a growing and changing computer
>security environment is somehow like a rapidly spreading pathogen is a
>little bit of a stretch.
I'm sorry, I really screwed up my explanation. Can I have another throw?
Don't look at the problem from a "successfulness of prevention" standpoint,
look at it from a "propagation of failure" standpoint. With something like AIDS,
if you can make a significant percentage of the population aware of the problem,
you've made it possible for the "aware people" to enclave, meet, and breed, and
isolate the "unaware people" or those who have decided to argue in favor of
natural selection by taking risks anyhow. So, in an area where you can educate
50% of the population about something like AIDS you've got a fair chance that
the 50% you educated will survive.
Now, look at Internet security. If I educate 50% of the population about the
need to worry about security, I still lose - horribly - because the other 50% of
my population fails and their machines are used to attack the educated 50%!!
That wouldn't be a problem except for transitive trust(*) - a big chunk, I have
no idea how big, of the educated 50% would find themselves vulnerable to
attacks from trusted parties and would be vulnerable, and then you'd very
quickly be left with the only survivors being those who didn't trust anyone.
Another factor is that the environment would become poisoned after a certain
point. I am on a satellite internet hookup (pity me!) and when there's a new
worm out there doing a lot of scanning I can pretty much rest assured that
I will have no internet access for 2 or 3 days. I call this "adaptive packet
clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
hears about it.
So, that's a lot of why I am so hard on the topic of user education. Unlike
other problem areas where education is effective, user education in
computer security is of questionable value because the propagation
effect of one user making a mistake can overwhelm the results of your
educational programme instantly. We've ALL heard the stories of the
dweeboid executive who brings his laptop into the corporate WAN and
plugs it in and releases something awful behind the firewall, right? Well,
in 1/4 second, the entire educational programme at that organization
was utterly mooted. When you're fighting AIDS or illiteracy, local
failures do not propagate into massive system-wide failures.
Please - don't get me wrong: education is great. But if corporations want
to improve their security, it's not a particularly effective investment, in my
opinion. I know of no studies that shed light one way or another on this
question and I probably wouldn't trust them if I did. Why not? Because
there are some organizations that have chosen education as a
SUBSTITUTE for mechanism. My guess is that they'd skew the metrics
very sharply in the direction I'm predicting, and that wouldn't be pretty.
[Below I will use the term "Mechanism" here to abstractly mean
"technological enforcement system" - firewalls, AV, attachment stripping,
IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
the user whether they want it to or not"]
I guess there's a matrix we'd want to explore:
#1 - No Security Mechanism, No Security Education
#2 - No Security Mechanism, Security Education for users
#3 - Security Mechanisms in place, No Security Education
#4 - Security Mechanisms in place, Security Education for users
I predict that of those 4, the security differences between #3 and #4 would be
minor. I further predict that the difference between #1 and #2 would be minor.
I would also predict that the largest difference would be between #4 and #1.
Put more simply: my guess is that the measurable impact of education
versus mechanism is minor. Add some cost factors in and you could
make a WAG at an ROI for security education. Then you'd take your
education programme out and shoot it.
Those of you who are familiar with the computer security calendar I did
for SourceFire back in '03
http://www.ranum.com/security/computer_security/calendar
probably don't know that the original concept
for December was not "Leadership" it was:
User Education
(Our users don't need Security Education; they need a good beating)
Photograph of a hand with a riding crop, wearing a studded leather
glove.
Unfortunately, when I went into the studio to do the shoot, I had assembled
all the props for the photography and the Southern States in Woodbine was
closed on sundays and I couldn't get the riding crop prop as I had planned.
So Tal's wife was kind enough to stand in at the last minute for December.
mjr.
(* I was going to include "ignoring transitive trust" as dumb computer security
idea #7 but the article was written for executive gimboids and the idea of
succinctly and clearly explaining transitive trust was daunting)
--__--__--
Message: 7
Date: Tue, 13 Sep 2005 15:45:32 -0700
To: <firewall-wizards@honor.icsalabs.com>
From: hermit921 <hermit921@yahoo.com>
Subject: RE: [fw-wiz] The home user problem returns
I will weigh in with my experience. About 2000 users in my company, and
nearly 20% of them managed to get infected during one week a year or two
ago. That mess generated enough pressure that many of the desktops now
have patches forced onto them, but almost none of the users learned
anything. I take that back, several of them learned I am a NUT, because I
said Internet Explorer isn't safe to use.
On the good side, I have a friend who is almost totally computer
illiterate, but has never had a virus or spyware or any other malware.
Rule #1: never double click any attachment. If you have to open it, choose
a program that should open that type of file and do a File -> Open.
Blindly following these rules has kept her safe for over 10 years. So I
know people can learn, at least by rote, regardless of understanding.
Rule #2: never use Microsoft software. This probably helps an immense
amount, too.
hermit921
At 10:09 AM 9/13/2005, Scott Pinzon wrote:
>I've been watching with a certain morbid fascination as Marcus has
>ranted in his own blog and in FW-WIZ (and who knows where else) that
>educating users about security is one of the "dumbest ideas" and "if it
>was ever going to work, it would have by now." I have tremendous respect
>for you, Marcus (epecially since you have, I dunno, six times the years
>in computer security that I do). But I can't help feeling, in my
>pipsqueak opinion, that on this one you're way off base.
>
> My reasoning, in short:
>
>-- Ignorance is never better than knowledge in any realm. But particular
>to network security, my experience is that most clueless users are also
>people of good will who will cease dangerous behaviors once they
>understand those behaviors ARE dangerous.
>
>-- Educating users is another layer in "Defense in depth." If 10 out of
>100 users click evil email attachments, and through education you reduce
>that to 3 out of 100, you've improved that layer.
>
>-- Educating users has been proven to work at company after company.
>Help desk calls, viral infections, falling victim to phishing emails,
>and more, have been quantitatively and demonstrably reduced at companies
>that institute end-user security training.
>
>-- And how do you know "it" (educating end users) is not working? We
>have no before/after comparison on what the Internet would be like if
>all of us who preach security had stopped five years ago.
>
>Maybe I'm misunderstanding you, but my take-away from your blog article
>is that you are so discouraged by end-user ignorance, you think we
>should all stop wasting our breath on them. Your recommendation is that
>we set up an environment through quarantining and what-not where users
>have no opportunity to hurt themselves. In rebuttal, I cite the crusty
>old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
>(through technology) create an environment where clueless users can't
>hurt themselves. To keep a network secure, we need users on our side. We
>can get them there if we try.
>
>Am I really the only one on this list who thinks so? Or Marcus, did I
>misinterpret you?
>
>
>SCOTT PINZON, CISSP
>Editor-in-Chief, LiveSecurity Service
>WatchGuard Technologies, Inc.
>505 5th Ave. South | Suite 500 | Seattle | WA | 98104
>206.613.6648
[deleted]
--__--__--
Message: 8
Reply-To: <sanford.reed@reed-assoc-llc.com>
From: "Sanford Reed" <sanford.reed@cox.net>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 19:01:52 -0400
Organization: Reed & Associuates, LLC
Let's see, can we compare this to something else say the disaster that
befell a certain southern US region.
How long did the locals and the US Army Corps of Engineers rant that the
next 'big' Hurricane would cause mass destruction and total flooding in New
Orleans? Was it something like 10 years and how long did Congress and others
ignore them? I'm guessing about 10 yrs. I think the message has finally
gotten thru and I think it takes a similar level of 'pain' on the individual
level to get thru to the end users.
BUT just because it appears that a large portion aren't listening we can not
give up the RANT (opps that's Education) because unfortunately that
threshold of individual 'pain' differs with each End user. However as more
and more have to rely on a PC in their work environment the more sensitive
those end user will get and the lower the point of 'pain' will become.
Sanford Reed
(V) 757.406.7067
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Tina Bird
Sent: Tuesday, September 13, 2005 3:24 PM
To: 'Mason Schmitt'; 'R. DuFresne'
Cc: 'Marcus J. Ranum'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
> It seems that there are two primary ways in which people
> change. Either
> they make a conscious choice to change prior to a problem
> getting out of
> hand (requires knowledge that there is an impending problem and
> knowledge of how to avoid the problem) or they endure more
> and more pain
> until they are forced to look at the problem and finally make
> a choice.
i disagree. i don't know *anyone* who willingly makes a fundamental,
significant change in their behavior without pain as a motivator. for every
example of your first category that you can present, i can *probably*
demonstrate that the "apparent" change is really an example of the person
behaving consistently with some deeper part of their personality, which
isn't changing.
i think it's human nature to resist change altogether unless some sort of
pain - personal, physical, financial - motivates them. it's why carrot and
stick works so well as a way to influence behavior.
so for me, the question is, how do we influence the *consequences* of badly
configured or managed machines - wherever they are, on corporate networks or
the internet - in order to create the change we want? how do we create a
beneficial sort of pain?
when i'm dealing with my relatives, i just change the configuration of their
computer when i'm visiting. that's not exactly a motivator, but hey, their
machines are fully patched :-)
it's why i'm so interested in NAC and NAP and other sorts of enterprise
technologies that let me use network connectivity as the bribe to get
machines configured the way i want them. i'm creating pain for the end user
by not letting them get to the web without doing what i want - the height of
security admin arrogance, i'm sure, but i try to be reasonable in my
expectations.
cheers - tbird
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment