Overreaction?
August 18, 2006
An interesting article by Bill Brenner over at TechTarget comments on some of my recent warnings about MS06-040. For those who haven’t seen my Chicken Little-esque statements, the article prints some of them:
Statements from researchers at San Francisco vulnerability management firm nCircle Network Security Inc. were probably the grimmest of all:
“This is no drill. And no, this isn’t an overreaction. We’ve always said that some day there would be another big, serious vulnerability. Well, this is the one,” warned Mike Murray, the company’s director of research.
What never gets printed is the second part of what I always say when I’m suggesting that things have the potential to be really, really bad. In this case, to most reporters I talked to, I also added this caveat: “I really would like to be wrong. But let’s weigh the consequences: if I’m wrong and everyone is a little too prepared, that’s a slight over-spend. If I’m right and nobody listens and nobody prepares, then things are really, really bad”.
This is the same kind of issue that we saw last year in New Orleans – there were many, many predictions that the city was terribly vulnerable. But nobody listened, and everything went really really badly.
What will the future hold for MS06-040? Will there be the malware equivalent of Hurricane Katrina? Or is this a situation where nothing bad happens?
I, for one, hope to be just a little more prepared than I need to be (obviously not too prepared, lest I spend $100 protecting a $10 asset).
This, to me, is the game of risk management – the goal is to spend less than you would end up losing in the long run. In the scenario of MS06-040, there’s a relatively small incremental cost to increasing the speed of most patching processes – a bit of overtime, etc. But there’s a HUGE downside risk to not spending that small amount.
This is ultimately all about money and insurance – will I be wrong in the long run? Maybe. But, given the same vulnerability next month, I’d have made the same statements – the consequences of being wrong are simply too high.
One Day More
August 18, 2006
So, it’s early on August 18th – today is going to be my last day at my employer of the best part of the last 6 years.
Those years have been full of wonderful times and learnings, but it’s time to move on to a new set of challenges and learnings – there’s so much out there to learn.
I’m especially excited to move back to the customer side of the information security world – rather than selling products that help with security challenges, I’m incredibly excited to be back in the role of dealing with security challenges on a daily basis.
When Computers Attack
August 18, 2006
Anton tells a funny story on his blog. He quotes David’s blog post about the “Dumbest [Security] Seminar Ever”:
“Protocols may allow these communications to transmit confidential information, spyware, keyloggers, worms, viruses, and other security threats into and out of your organization”
It always amazes me how much bad information there is out there about security and IT. I recently had a conversation with some people about this article. The people I was debating with were talking about how horrible this is, how it bodes poorly for the future, how sad it is to see a couple at a Starbucks with two laptops, blah, blah blah.
I made the point that they wouldn’t have any problem if the couple was sitting at a Starbucks with books instead of iBooks… they just looked at me like I had two heads.
Some day, I genuinely hope that we all understand that computers are very simple tools, with simple (though profound) impacts. And I hope that the culture of FUD around computers (protocols are computer languages for discourse – they’re about as dangerous as English) can be overcome by everyone gaining some understanding around the issues.
I think I’m pissy this morning.