EDU: Making It Through The Rapids (a.k.a. Who Needs Security?)
The school I work for just does not seem to get it when it comes to running a good secure infrastructure by following security standards. The administrators have done a good job of piecing together a few things to help secure individual assets. They do make changes when they see a threat to a particular resource that they have not addressed. But, as a security professional, it is like watching a boat full of tourists rowing full steam ahead into category 5 rapids. I yell and wave my arms, “No….stop….we want to do this…..don’t go that way.” But they don’t hear me over the roar of the rapids and their jolly cheering as they head towards the challenge. It takes everything I can muster to not roll out of the raft and swim for shore.
So today, while I was driving to work, I had a thought. Why is it that we have not seen college, high school, or any other school close their doors because of security breaches or just plain being totally owned? We hear about the breaches. We hear about whole departments being closed down, reimaged, and then placed back on the network. But nobody actually goes way. People keep going to school and paying tuition. Teachers keep teaching. Sure, one or two people might loose their jobs, but the school keeps moving forward. Or, rather, the raft makes it through the rapids. Those that survived climb back on board, a few new people replace those that didn’t make it, and then they start rowing for the next category 5 rapids.
What does this say about security? It is more cost effective to just let everything slide, address it after the fact, and drive on without over thinking the situation? If you secure just a few assets really well you will be able to weather the storm?
Then I start thinking about businesses. How many have closed their doors because of security incidents? A few SOHOs and SMBs, maybe, because they sustained too much loss of revenue due to down time? Is it really cost effective to address security when you can just go bankrupt and start a new business? Does security only make sense for government and big business?
It kind of makes you feel like picking up an paddle, joining the reveller’s cheering, and stroking for the next set with abandon. Damn the torpedos, full steam ahead!!! Certainly we’ll get dumped but it will be fun and we can just climb back in at the end of the ride. Maybe we’ll make it through these or the next set unscratched. Yeeeehaw!!!!
Go forth and do good things,
Cutaway
education, security, Security Ripcord
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
October 10th, 2007 at 1:50 pm
I believe the reason no educational organizations have shut down is because education is a necessity, not a luxury. Even if I have a crappy security policy and nothing to enforce it, people still need to learn and will pay good money to do so. And really, the same goes for a myriad of businesses out there: grocery retailers, clothing retailers, etc. At the end of the day, the business goal trumps any security strategy (unless the security strategy directly impacts the business goal). So sell your strategy to enforce/enhance/guarantee the EDU’s business goal and you will make it happen.
October 11th, 2007 at 3:20 am
schools dont maintain support or reputation based on the security of their product or data like a business does, they maintain their support and reputation by their teaching, research, and the quality of students they turn out. It also helps that most schools are generally “not for profit” (i realize that isnt totally true, but i wouldn’t equate a college to a big business in yearly income goals) unlike most businesses where they have to 1) maintain and sell a product or service and 2) maintain customer trust.
Most people could care less if that school network is infested with trojans or backdoors or open to the world until all the student data is for sale on the internet. then you may get an article on CNN or securityfocus but that quickly fades into all the other articles with the same story. those kinds of incidents are really only important to the people who’s data was lost or stolen, not everyone else. kind of like violent crime if you live in a semi-big city. do you really take much notice to the guy that got mugged or robbed, probably not unless you know them or it was around the corner from you. its so common place now, it just blurs into all the other noise of life.
besides, is the whole student population going to pull out of University X if the network admin is an idiot and lets the school get owned, probably not. people will gripe, maybe a lawsuit will get filed, and it fade into all the other tons of similar occurrences. sad really, the only people that really care about security are people that do security everyday, oh and the people who’s data or PII get stolen, and they only care because it affects them personally. as long as they can check email, most people could care less about any of that “security stuff”