internet-b52 : Schneier on "Strategic Software"

Computer security professional, Bruce Schneier, makes some good points about the importance of some software to an industry or even the economy. And he says, for the one-millionth time, "practice defense in depth."

It's a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines' weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where?
And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy.
...
If we were to get serious about critical infrastructure, we'd recognize it's all critical and start building security software to protect it. We'd build our security based on the principles of safe failure; we'd assume security would fail and make sure it's OK when it does. We'd use defense in depth and compartmentalization to minimize the effects of failure. Basically, we'd do everything we're supposed to do now to secure our networks.

I'd add that the ability to quickly respond to an exploit or vulnerability comes from being prepared. You should never have to hand-compile Apache and push it to your web-servers or futz with some arcane dependency problems in the face of an attack or vulnerability.

Take the time now, with no one in your face, to package your software and work out the dependencies. Practice the drill for remediating a serious flaw. As an administrator who cares about security, ask yourself, "how would I react to the announcement of a serious flaw in ________ (choose your most visible, important, or exposed piece of software)?"

Rinse and repeat.

Work out the weaknesses in your packaging, communications, and processes. The processes may not exist or may be broken, better to find out now than during an incident, right?

Now you have a to-do list. Get to work.

Technorati Tags: system administration

Tags: on technorati, delicious, netscape, google


home :: security :: strategic_software
Mon, 25 Sep 2006 Schneier on "Strategic Software" Computer security professional, Bruce Schneier, makes some good points about the importance of some software to an industry or even the economy. And he says, for the one-millionth time, "practice defense in depth." It's a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines' weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where? And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy. ... If we were to get serious about critical infrastructure, we'd recognize it's all critical and start building security software to protect it. We'd build our security based on the principles of safe failure; we'd assume security would fail and make sure it's OK when it does. We'd use defense in depth and compartmentalization to minimize the effects of failure. Basically, we'd do everything we're supposed to do now to secure our networks. I'd add that the ability to quickly respond to an exploit or vulnerability comes from being prepared. You should never have to hand-compile Apache and push it to your web-servers or futz with some arcane dependency problems in the face of an attack or vulnerability. Take the time now, with no one in your face, to package your software and work out the dependencies. Practice the drill for remediating a serious flaw. As an administrator who cares about security, ask yourself, "how would I react to the announcement of a serious flaw in ________ (choose your most visible, important, or exposed piece of software)?" Rinse and repeat. Work out the weaknesses in your packaging, communications, and processes. The processes may not exist or may be broken, better to find out now than during an incident, right? Now you have a to-do list. Get to work. Technorati Tags: system administration Tags: on technorati, delicious, netscape, google Last Updated: 09/25/2006 19:47 by Richard \| \| Filed in: [/security]
All Content and Images, Copyright, 2006-2008, unless otherwise noted or attributed All opinions are my own and do not necessarily represent the views of my employer.

Mon, 25 Sep 2006