Re: [PLUG] OT: SolarWinds

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Wed, Dec 23, 2020 at 8:31 AM Rich Kulawiec via plug
<plug@lists.phillylinux.org> wrote:
>
> On Sat, Dec 19, 2020 at 02:25:19PM -0500, Rich Freeman wrote:
> > On Sat, Dec 19, 2020 at 12:51 PM Rich Kulawiec via plug
> > <plug@lists.phillylinux.org> wrote:
> > >
> > > None of this surprises me.  What surprises me -- although mildly at this
> > > point -- is that people keep doing these things despite their unbroken
> > > record of failure.
> >
> > LOL, what does this even mean, an "unbroken record of failure?"  Are
> > you suggesting that every commit ever written to every large
> > application contains a new security-critical bug?
>
> No, if that was my contention I would have written it explicitly; my
> writing skills may be modest but they're sufficient for purpose.
>
> Instead, read my remarks *in context* -- that is, consider the entire
> universe of code that everyone's busy cranking out.  For the most part:
> it's awful.  We can barely get through a day without yet another gaping
> security hole being disclosed -- and those are barely the tip of the
> iceberg, since many of them won't be disclosed by the people who find
> them and even that's the tip of the iceberg, because there are no doubt
> even more waiting to be found, and there will be still more in future
> because code is still being cranked out.
>

So, we're both being hyperbolic, which is fun.  However, I think that
the reality is that security is a problem because everything we do is
imperfect, and security is not something that tends to reward
investment beyond a point.

Everything is about risk-management.  My house has glass windows and
doors that would not be difficult to break through.  I sleep fairly
well at night because I realize that while there is a risk of somebody
stealthily breaking in and killing me in my sleep, it really isn't a
significant risk compared to other risks I accept every day.  In
contrast the cost to effectively mitigate this risk would be so
significant that it would diminish my lifestyle substantially.

Software is no different.  Yes, when a breach occurs it is often a
high-profile event (not always).  However, breaches that have a
significant impact on a company are actually pretty rare compared to
the amount of investment in software companies make annually just to
stay competitive.

If not spending half of your IT budget on security was an absolute
guarantee of going out of business in a year or two then EVERYBODY
would be investing heavily in security.  Business owners aren't
actually dumb - if something is truly a cost of doing business then
they make sure they can afford to spend on it before they start the
business.

The reality is that investing less in security is a decision that
usually turns out well for a company.  When it fails there is usually
a large separation between the decision and the consequences.  Manager
A cuts security spending, then 10 years later after maintaining a
steady budget a breach occurs and Manager B has to explain why.
Manager A was able to spend more money on flashy initiatives and got
some nice bonuses, and moved on to another company in a more senior
position.  Manager B gets left holding the bag, and likely many will
say that such a thing would never have happened back when Manager A
was around - that's why he's a CIO over at such-a-place now.

And of course we're very good at identifying the specifics of what
went wrong and not the root cause.  Piece of software C had flaw D.
If they had just spent an extra $50 worth of manpower flaw D wouldn't
have happened.  Of course, nobody is likely to spend $50 more on that
ONE software change unless they either spend that much more on EVERY
software change, or they have some systematic approach for risk
assessment and targeted improvements, which of course also costs
money.  If the army loses an outpost for the want of 10 soldiers, the
cost to prevent the failure isn't 10 more soldiers, but an additional
10 soldiers for every outpost they have, since the enemy is the one
who gets to decide which one to attack.

I think the real problem isn't so much that breaches happen
frequently, as there will always be breaches and efforts to prevent
them and these will tend to find some kind of equilibrium.  The
problem is more the long tail and black swan events.  If the result of
a breach is that your company goes bankrupt, then there isn't much
opportunity to fix the problem later.

However, that almost speaks less to the side of security that involves
preventing breaches, and more to the side that involves recovering
from them.  When a major failure does occur, how do you ensure that it
doesn't cripple you, especially if your competitors are not impacted
in the same way at the same time?

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug