In most organizations, the responsibility and the authority for security
reside in different spots. All too often, the people with the responsibility
don't have the training, the budget, or the management support to do as good
a job as they know how to do. Meanwhile, the people with the authority to
make a difference don't have the training, the risk models, or the economic
incentive to do a better job.
>From my experience, if any "expert" is quoted as saying that someone should
get the axe for allowing a breakin to happen, the person who gets squashed is
the poor end administrator who never had the budget or tools to do anything
about the situation. He/she simply gets blamed.
Thus, I usually don't mention this approach as a high priority item when
asked. Yes, I know it is important in the "big picture," but I am not
convinced that it is the most important thing.
Think about it -- some poor sysadmin is required to run 50 NT boxes without
add-on software. She's got to keep all the software up-to-date, answer user
questions, do backups, and do minor maintenance. She's told she has to allow
access to the WWW and outside ftp for all users. She has to allow unfettered
email in and out. Plus, she can't get the budget to hire an assistant,
license a scanner, or buy a one-time password system.
Along comes a hacker who waltzes in, does some damage, and waltzes out. Who
do you think gets the blame and the black mark? The executive who failed to
provide funding for an assistant, who rolled over when users demanded
unhindered WWW access through the "firewall," and who refused to consider a
recommendation for better control over user accounts? Damned unlikely. No,
it was the system admin's fault as far as management can see.
The military is the same way. The machines are often being run by a tech
sergeant who has had 6 months training. The tools, training, and technology
are what are provided by planners far away and long ago. Advocating that the
people closest to the machines -- even the base comannders -- is going to
result in the wrong people being slammed.
Right now, the operators/admins don't have a lot of choice. Buy worthless
crap from vendor #1, or buy equally buggy crap from vendor #2. How can you
secure an OS that requires 2 emergency patches per week for security flaws
that have been known about for 20 years? I remain convinced this is the
first place we need to gets some fixes. Otherwise, the unworthy and the
responsible alike are going to be held accountable for what amounts to
stopping an avalanche with a trowel.