Taking Wrong Turns On The Security Front

In my newsletter note this week I alluded to the fact that I had had a very tough week personally--all those adages about when it rains, it pours and the belief by some that God only burdens you with as much as you can handle succinctly fit my various crisis these past seven days. I also mentioned that while my world will calm down I don't foresee the same for Cisco and its security woes.

The mention of the vendor's recent actions regarding a security researcher going public on a product vulnerability, and then the hacking community's intent to cause some other security troubles drew some very interesting and on-target reader mail.

One note, from a former IT professional who managed a series of mainframes for a Fortune 500 company, really hit the mark in summing up the Cisco situation. And since I couldn't have expressed it any better myself, I wanted to share it with you:

Dear Judy,

As a former IT professional, one of my duties was to verify security, apply vulnerability solutions, patches, run audits, and make recommendations.

When security issues were found, management always ran a cost justification case on it. How much did it cost to how much was the risk? Well unless it was a "free" patch you can probably guess what the outcome was. 'No way are you going to spend that much money for that. Keep this confidential and monitor for any problems. Issue closed.'

I think it is really important to have whistle blowers like Michael Lynn {ED Note: Lynn is the security researcher Cisco legally squelched from future public data dissemination} to warn the rest of the user community of the vulnerabilities in the nation's Internet frame work.

But what do we have instead--a large and powerful company which forced Michael Lynn to quit, then persecuted him for having their source code (obtained from the Internet), and tried to hush him with court orders. That's business stance on everything--don't fix just hide and cover up--sue if necessary.

WRONG. WRONG. WRONG.

Just as people don't leave money in boxes on their front lawns, or leave their doors and windows open while gone, or the keys in an unlocked car--we need to apply the same vigilance to computing security.

While many people decry that hackers are an enemy, we should be thanking them for pointing out the weaknesses in our computer systems. I'd rather have a hacker than a terrorist get into something of national security. Then we know the holes that need to be fixed. Let's stop hiding the mistakes and covering up by laws and suing.

Lastly we keep mentioning the war on terrorism. It seems ok to give over the "keys" to computers remotely administered (called outsourcing) from such countries as India and China through all the Free Trade acts. However, their security is definitely lower than that of the United States. How easy would it be for terrorists in one of those counties to issue a command to erase and shut down banking, stock trading, or the national power grid.

Yet both the FBI and 'The War on Terrorism' agents went after Point- to Point (P2P) file sharing for distributing copyright material. With both agencies jumping in it looks as money interests out weigh security concerns.

A Concerned Individual Well said.