Today at SC Magazine I read Gartner's criticism of the latest version of NIST Publication 800-40: Creating a Patch and Vulnerability Management Program (.pdf). Gartner says:
"Security products such as network- and host-based intrusion prevention systems, network and host-based firewalls, and networking devices such as routers can be configured to prevent an attack as a first step prior to deploying the patch, and as an effective response to a critical vulnerability with exploit code in the wild."
I agree with this. Why? It's an expression of defense-in-depth.
To see an example of a group abandoning this security practice, let's hear from the folks at the Jericho Forum. I wrote about them last year. As I said in that post, "individual hosts should be able to defend themselves." However, consider the following description of actions taken by Jericho Forum member BP:
Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cybercriminals.
Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.
Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office.
Are they serious? Is this some sort of Darwin-esque test? If your laptop is tough enough to survive on its own, you'll love working for BP. If your laptop isn't tough enough, well... we can't kill your laptop, so you'll just provide more headaches for the help desk.
I wonder if BP has removed any applications proxies they might have employed? If yes, I guess it's back to monitoring traffic the hard way using stand-alone sensors.
How many engineering projects are built such that they consist of one element, and if that element fails, the entire project fails completely?