From: firewalls-owner
To: firewalls
Subject: SATAN
Date: 19 March 1995 09:57
>From: rodney @
subasic .
sciatl .
com (Rodney Garner)
>Subject: SATAN
>
>The only threat from SATAN is to those that don't want to admit that they
might
>have holes in there network and don't want to know about them.
>
Precisely! The people who refuse to admit they have a problem and need to
do something about it.
"I'm OK, I've got a programmer who takes care of that kind of thing".
OH Yea, What does he actually DO ? Show me!
The point isn't that SATAN does something which has never been done before,
but rather the way it has been publicised. Management can no longer ignore
problem, pretend it doesn't matter.
/anton
----------------
Never under estimate the capacity of some managers to ignor something they
dont want to see.
'Security' for many is an unnecessary overhead in their perception of
business risk. The attitude often is 'If I can insure against it, let the
insurance companies take the heat. If the insurance companies dont offer a
policy it cant be a real problem'. Another attitude is 'The cost of the risk
is less than the cost of the soltuion'. There are many alternatives on these
broad themes.
Take the simple example of fire and crime prevention in a public building
like a dance hall. These establishments have been around for centuries and
many suffer fire damage. They also suffer from the person who buys a ticket
and then lets a group of friends in for free through the fire exits. Many
managers still see the ticket fraud as the main threat and padlock the fire
exits, not unlike the concept of 'firewall'. A fire breaks out and hundreds
of people get killed trying to break out of the locked fire exits. Every so
often an incident of this type breaks out somewhere around the world and
makes the tv news. Its such a well documented situation that a normal human
being has difficulty understanding how a corporation can take such a callous
approach to the safety of its customers in the crude pursuit of profit. When
a particular country suffers a number of these incidents in a short time,
new legislation is enacted in an attempt to stop the problem. Usually the
legislation gets off to a good start and then begins to fail because its not
enforced effectively.
IT security and SATAN is not a lot different, except some managers will find
understanding fire precautions easier than understanding IT and
communications systems.
Products like SATAN have been around for a long time, the only thing
markedly different is that sometimes one of them is promoted by the author
or the media. When the author promotes the product the reason may be simply
commercial, either in promoting a product which directly produces revenue,
or because it creates a market for another product behind it.
When something like SATAN receives a lot of coverage, it can be good and
bad. The good part is that it will prompt a number of people to think more
carefully about external risks. The bad part is that it probably creates
fear and panic (good risk management requires a cool and calculating
approach) and it will focus attention on external attackers and away from
some (probably) more serious risks which might also be dealt with
effectively, quickly and at lower cost.
The real danger is fear. It can also be the marketeer's greatest friend - in
the IT market more than one vendor has benefited greatly from Fear
Uncertainty & Doubt. In those countries which make handguns easily
accessible, increased fear (generated by media hype) of assault by armed
criminals can do wonders for sales of handguns to the local citizens. There
are then increased occassions of children blowing away their friends through
playing with daddy's new 'toy', family disputes being settled permanently,
etc. At the same time, people get damaged by other risks which they never
saw because they were too busy worrying about the latest 'scare' stories.
Thats not much different from the world of Information Systems.
Ian J-B
|
|
