If you want to minimize compromise, increase accountability.

Anecdotal evidence from companies I've observed doing a good job
securing networks and systems leads me to conclude that improving
security is a lot like raising children, esp. teens (I have two, lead
youth mission trips but would not claim to be an authority merely an
observer of many situations with positive and negative outcomes).

Given broad choices, little direction, and no consequences, teens are
more likely to choose poorly. Sounds like a "that which is not
prohibited is permitted" policy, doesn't it? But the key that I think
we continue to overlook is that even the practice most list-readers
here believe is better - that which is not expressly permitted is
prohibited - is incomplete.

Where's the accountability and consequence in this policy?

Why don't we start adding quantitative consequences when we murmur
our favorite security mantra?

"that which is not expressly permitted is prohibited


1) "the consequence of intentionally doing what is prohibited is
termination of employment"

2) "the consequence of repeatedly unintentionally doing what is
prohibited is also termination (you are too {stupid | impulsive |
slothful } to be employed here)"

3) "..."

(Marcus has been quite creative on occasion regarding consequences so
he can fill in 3) and beyond).

I'm not being whimsical here. We live in a society where 70% of
people willingly revealed their usernames and passwords for Cadbury
bars. If exposing your organization to attack from an authorized
account is only worth a few bucks. If folks worried that they might
never taste chocolate again, well, maybe security might improve

Google "Low-Tech Password Cracker: ChocolateApril 20, 2004")

On 2 Jun 2005 at 13:36, Marcus J. Ranum wrote:

> I am totally sympathetic to the plight of the security
> practitioner who isn't willing to put his job on the line
> by telling the CTO he's a moron. I completely understand
> why people feel they need to compromise. But I still
> think compromise is for sissies.

firewall-wizards mailing list