Guru no more
When I was a beginner in this field, young and fresh, I was full of conviction. Security was easy! There’s the security problem - there’s the security practice. Do this, avoid that. Very simple, mechanical even. When I talked about security, it was very easy to walk the path of the righteous; to say - with conviction - that there is a right way and a wrong way. Very easy, fun and cool to argue my point and win the argument, because I know what to do.
Lately though things become more complicated. The more aware I am of the variety of the considerations that have to come into account, the more I hesitate when asked for my opinion. It is as if before I open my mouth to speak, I have an internal dialog, analyzing the solution I am about to propose, and the counter-response, and the response to that. For example:
- They have information leaks through FTP, they should disable FTP on their firewall
- But then FTP might have a valid business use
- What valid business use? There are always alternatives that are more secure
- Are they going to invest in these alternatives? Won’t it be simpler just to leave it open and manage, say, an access list?
- Who is going manage the access list?
- They’ll have to allocate someone.
- Yeah, so they will, and the next incident they have they’ll have someone to blame for leaving such and such access open.
- Why would they leave it open?
- Because tasks like that tend to be given to someone in IT and they’re busy as it is.
- Well, as far as responsibility goes they can require signatures from whoever has to authorize that kind of access.
- So it’s okay to let people leak information now if your ass is covered
- No it’s not.
- So it’s the alternatives then. Email?
- Email is the wrong tool to transfer files.
- Do they need to transfer files, anyway? What type of files do they transfer with FTP?
… and so on. And eventually I go out and say it, only the intensity of giving a right-out simple solution is gone:
“Well, one way to do it is to block FTP at the firewall. You have to consider this option carefully, because it means that by deciding this you decide that you have no business use for FTP. There are alternatives - you can block FTP selectively, or use an alternate file transfer service, or monitor the outbound traffic for security violations. Or you can decide to leave FTP open because the business use overrides the risk”.
See what I mean? Not clear cut. The intensity is gone. Everything is disclaimed with exceptions. I’m no longer a ‘guru’, I’m a ‘consultant’. No longer making decisions, only suggesting possible courses of action.
And if asked to make the decision, sure, I’ll block FTP in the firewall and deal with the consequences; only the doubts will still be there, lingering, haunting me: Did I make the right decision? Based on my experience, yes. But still.
Realizing the advantages of having the experience and ability to judge a situation from multiple points of view and provide a more complete comprehensive response, I still look back fondly at that time, when things were more intense and clear-cut.
Yes, I can see where this “problem” comes from - well, we all grow up, some sooner then others (well, some do not).
And I’ll conclude with the imortal words of Oscar Wilde: “I am not young enough to know everything”.
Comment by Oded — January 24th, 2006 @ 6:20 amA few remarks:
1. “I was a beginner in this field, young and fresh” When the hell was this? I know you for over ten years, and you were never a beginner in the field.
2. You are becoming an american. Beware. This consultant mindset instead of taking decisions is clearly american and certainly nonisraeli.
3. There are many advantages to considering alternatives, as long as you do so systematically and add pricetags to everything. This is far more serious behaviour than just jumping around blocking FTP services; it has nothing to do with experience, just with thinking properly - as long as you are not afraid to take the decisions, or rather set a recommendation, yourself.
4. There is a problem with the parser here when I try to add the remarks. The lines are misaligned and I can’t read what I am writing (No, in this hostel somewhere at SA they don’t have neither linux nor Mozilla). It drives me crazy so I stop writing now.
Comment by Elad — January 24th, 2006 @ 3:51 pmHi Elad
I know that this mindset has advantages, I was slightly cynical when I wrote this… I know now the mistakes I made back then (and yes there was a back then), when I might have made the right choice, globally, but it’s not enough to be right, you have to be right for the right reasons… It’s 11pm now in Hawaii but with the time difference it feels like 1AM. I’m turning in.
Comment by arikb — January 25th, 2006 @ 1:45 am