“What are we going to do?” I asked my new boss.
“You know about ports, right?”
Now there are so many horrible ways to talk about ports that I’ve had to come up with my own less-bad way to say it.
The way things currently work on the Internet, you have addresses and you have ports. If you’re a computer on the Internet, you have an address, just like how computers networked over phone lines had phone numbers. But the address only gets you there. The same computer can serve up Web pages and manage email, from the same address, so you need some way of as soon as possible getting out of the way whether you’d wanted to talk about email or about the Web, so some years back, purely by convention we started giving each service a number. Each port number is like a different door into the same computer. If you’re running the right service — a Web server on port 80, an email server on port 25 — then you’ve basically opened a door into that computer. The door may not go anywhere, but it’s there.
“I think I know about ports,” I said,
“Like, how many are there?”
“Really? Only a few major ones. But as many as you’d need. Sixty-five thousand.” Because computers are so super-rational as to be completely insane, they believe that 65535 is actually a nice, round number, because that’s how many ports there are.
“Per protocol,” he added.
I nodded. I’d neglected to remember that there were two major core Internet protocols, and they each have more than sixty-five thousand possible ports.
“But that’s not the problem,” he continued. “Or rather, it is the problem. There are so many machines out there with ports open, people have no idea what’s going on inside their companies.”
“What do you mean?” I asked.
“I mean,” he said, leaning forward, “no one has any fucking idea what is actually going on in their network.”
“How can that be possible?”
“It takes knowing what you’re doing,” he said simply. “It takes time, and money, and attention. You have to pay attention, to see what’s going on. If you don’t see it, it’s like it didn’t happen.”
“But people don’t care that what’s happening could be somebody ripping them off?”
“They don’t care until they hear about it.”
It wasn’t what I was expecting to hear. I figured that someone, somewhere, must have their shit together.
“Firewalls?” I asked.
“Requires you to set up the firewall, then watch it, see what it’s doing. And most people have to set the thing up so open that it’s not doing them any good.”
“I’m very surprised.”
He shrugged. “It’s how the world works. Nobody wants to spend money on something until they know it’s costing them money not to. That’s the problem with selling security. You’re doing your job and all you have to say at the end of your day is, ‘Everything’s okay,’ and that’s not getting you more budget, or a raise, or anything. You only get attention when everything’s so fucked up it’s your ass on the line and you’d better get things sorted out right now or you’re done. After that, you go back to a boring life of telling people things are okay, even if you’re pretty sure they’re not — they’re just not on fire.”
“Sounds about right,” I admitted.
“That’s what people usually think when they hear this is a security company. They think we sell security, when nothing close to that could be the case.” He narrowed his eyes. “What do you think we sell?”
“Risk management,” I said.
“Exactly. We don’t tell people we will make them secure, because who wants that responsibility. We sell risk management. You know what we’ve been doing with all the security consultants?”
“I could say ‘security consulting,’ but—”
“Yeah. So we started out as a security consulting firm, information security. We were bought by this big company, Kroll-O’Gara, at the start of the year. They’re trying to make a big play to be a big security vendor. We’re using our contacts to do a bunch of security consulting for many different companies so that we can identify what problems these people are having, what’s consistent across them, so that we can sell them a solution — or make a solution we can sell them, more like.”
“So how many of these consulting gigs have you done so far?”
“Many. And we’ve learned a couple of things. Like, people have no idea what their network is actually doing. When they do know, they have no idea how bad an idea it was to do what they were doing.”
“So you’re talking about a way to help them manage the risk of doing what they’re doing.”
He told me a couple of stories to illustrate his point. Here’s one that I both believe to be true and think I can share.