I was flipping through my free copy of Information Security magazine (September 2006) and stopped to read through “face-off” between Ranum and Schneir, altough I am not sure they were actually disagreeing on anything they did bring up some good points – mostly that we are far less secure than we think we are, that “critical” or “strategic” software is here and a part of our critical infrastructure and that there are far more methods of attacking and controlling this infrastructure than people realize.
Ranum states “My guess is that if it were possible to even understand the situation, most of us would be terrified…” and Schneir furthers these thoughts by noting “I’m actually amazed that backdoors secretly added by the CIA/NSA, MI5, the Chinese, Mossad and others don’t conflict with each other”
Frankly I am amazed that there is far less attention paid to the future use of digital assets as legitimate military, or terrorist targets. If people understood how reliant our society is on technology, especially the software driven, digitally connected variety they would be as “terrified” as Ranum is.
Paranoia hasn’t served us well, though – anyone still have a Nuclear bunker in their backyard from the 50’s? is a Digital Pearl Harbor a little outside the realm of reality? Does it really matter for consumers and corporations to give it a second thought?
In the end there is very little most of us can do against the threat of state-sponsored cyber attacks or digital terrorism, but the goal of security is not to prevent all bad things from happening, an unachievable goal! The goal of security is to limit the potential for a successful attack and when one does occur to limit its impact on your environment. Defense in depth, segmentation and virtualization, security throughout the incident life-cycle, building more secure applications with less vulnerabilities and doing all the things we are supposed to be doing as part of essential IT security best practices is the best we can hope to do. So then why aren’t you? At the very least ask yourself how much visibility and control do we have over our environment (btw – visibility and control is widely misused by the vendor community, as our most terms marketing folks use – not my fault)