Security failures part 2
Change, some like it some hate it. People in the security field are open minded when it comes down to change. We're used to it, but we should question it just like we question many other things in our personal and professional life. I wonder why we still need to change hardware every 3 to 5 years not taking into account the overpriced support contracts.
Many companies apply this policy and even worse, when time has come they even think it is a good idea to change vendor for replacing their important firewalls. Imagine you apply that strategy on your file servers?
You've been running Windows as your favourite OS to provide the fileservers in your company, after 3 years you decide to replace the hardware but at the same time you think it would be wise to shift to a samba solution because your service partner says it has extra features and lower cost. And you tell you're admins well guys from next week on you'll be migrating our data to these new servers and you keep up with the management of it.
I wonder how your staff will reflect and react on that!
For some odd reason it happens all the time in perimeter security field. I've been involved in numerous projects where we think it would be wise to replace a Cisco firewall (change vendor by the one you most like) with a Checkpoint(change vendor by the one you least like) one or vice versa. And if those admins are lucky they get a training course to explain them the basics. For me it sounds like suicide, for management it sounds like a plan.
The security risks in this approach are important but neglected, never seen them in an audit report either.
Some car manufacturers provide 7 years of warranty, it seems something impossible for the IT sector at present. Of course exceptions exist, some firewalls/routers/appliance run continuously under heavy duty but a lot of them are not.