We all know that IT security and operations is becoming a more challenging and untenable problem day by day – see “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About it” – The reality is that we continue to build on top of inherently insecure and fundamentally weak foundations, such as the operating systems and routing infrastructures that power much of the global economy.
We need an alternative to the current computing paradigms that all organizations struggle with.
To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.
Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?
Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading
In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.
But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.
Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.
So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…
From Computer World UK (here)
Black Friday and Cyber Monday have come and gone. Now it’s time for Amrit Wednesday, or Thursday, or Friday—oh, whatever—to pay our industry back for all the dubious cheer it spread in 2009. Believe me, when it comes to this list, it’s much better to give than receive. Here goes:
So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).
Anyway so the logic flaw goes something like this -> Continue reading
It has been awhile since we had a good old fashioned, highly publicized, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here). Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers. Continue reading