Enterprise Security - Moving a Giant


Yesterday on Twitter I posed 3 questions:

Question 1: Now that Clickjacking has faded away from “Newest Greatest BAD STUFF”, how many implemented NoScript personally? What about Enterprise wide?

Question 2: Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show the powers that be clickjacking and it’s effects?

Question 3: Ok here is the final question of the trio, Why, since we rely on IE, aren’t we screeming at M$ to implement NoScript-like features?

And Andrew Hay (twitter), one of the crazy smart guys from the party house above the US posted a great blog article (kinda redundant to say posted a blog post eh?) (and no that wasn’t a Canadian joke). And the following is my rebuttal to some of the things he said.

First he goes into training. And I agree with him for the most part. The support teams are going to need to be trained to support Firefox, but exactly how many calls do you really expect that to be? The address bar is in the same place, tabs work the same, as do bookmarks. Importing bookmarks is a rather simple process as well, FF does it by default on first use. I guess the only person who can answer this is someone who has actually made the move from one browser to another.

Second he touches on money. I take a bit of a different approach to this. I think that they (Cx0s) should spend the money on the Mozilla Foundation to build an enterprise deployment package, including an addon (extension) deployment engine and GPO tie in. But as far as as the testing, Q&A, and support, if your company offers to work with Mozilla on an enterprise deployment, I am sure they will fall over themselves to help make it happen. Sure, there will be training to go along with the new deployment and management pieces, but most likely the people working with Mozilla to get it working will have such an indepth knowledge of the product by the time it gets rolled out enterprise wide that they will not need training. And finally, are you really telling me that any company on the planet pays to train all of their staff? In my limited experience it’s always been, send one, and he/she will train the rest.

Third, Deus Ex Machina, when I first read this I instantly thought of the game Deus Ex, but basically as Andrew put it, it’s explaining in business terms, what the threat / risk is, what the FOI / ROI is, and how the deployment can happen to the mangement (Cx0? Writers of the check, WOTC is much less sexy than CSO eh?). My answer to this is that I agree compeltely. Enterprieses, be it corporate or government, are like giants. They can see much farther (industry insight is usually the main job of a CxO), they are very slow making steps (changes of any size).

But here is the tweak, I think when they do make changes, like giants, they are huge steps forward. And, Andrew is right again, it usually takes a dedicated individual in the organization to push it to the point where finally people start listening. That person is going to the be the least popular person in the buisness but at the end of the ordeal, he/she will most likely either become very high ranking in the organization, or another company will take notice of the game changer, and pull them into their company hoping for the same fighting spirit to help their company flourish. But then again, it could end much worse. Some companies are so set in their ways that they refuse change and will repremand those who push it too hard. Check out out Marcus Carey of Sun Tzu Data’s post that sums up Deus Ex Machinca in one image.

Last, Andrew point out the Blind Eye technique. Ostriches play this game and it never really ends well for them. This is a base (I have started to hate the word “fundemental” sine the elections) difference between security pros in the biz, some if they don’t see a risk, or it wide spread in the wild, they don’t see a rush. Marcin from TS-SCI Security made some twitter posts (#1, #2, #3) making some valid points. Are they wrong? No, not all, it’s just a different approach to security. I am more optimistic than I think I should be, I see the potential for bad stuff to happen and I want to fix it immediately, because there are definitely bad guys out there that are much smarter than I am.

In conclusion to this already too long post, I think it’s a struggle, and we, as security people, will fight it forever. Cops have been hated since the dawn of time, and we are basically computer security guards right?

Tell me what you think, I am always open to being proven wrong, it’s then that we learn right?