|
| Recent
Articles |
Fortinet Firewall Transparent Mode
The Fortinet 50A is a firewall router designed for 10 users or less (this is an older model, now replaced by the 50B). Out of the box, it is configured as a NAT DHCP device at 192.168.1.99. I simply plugged my Mac Powerbook into the Fortinet's "internal" port...
Security Pen Testing - Google Hacking
If you are a security pen tester, you should know about the Google Hacking Database over at Johnny I Hack Stuff. There are a number of sites that deal with search engines and using them to discover vulnerabilities in...
Information Security Leaders
This was written soon after having listened to both the CISO of Cisco, and one of the primary think tank leaders from Gartner Group in December of 2005. The idea of the conversations was that business and IT need to merge was radical a year and a half ago, now we...
The Passive Interface Command And OSPF
To pass the BSCI exam and become a CCNP, you have to be aware of the proper use of passive interfaces. You learned about passive interfaces in your CCNA studies , but here we'll review the basic concept and clear...
IGRP And Equal Cost Load Balancing
To pass the CCNA exam, you've got to know the role of the bandwidth command with IGRP and EIGRP and when to use it. In this tutorial, we'll configure IGRP over a frame relay hub-and-spoke network using the...
|
 |
|
04.30.07
We Don't Need An Information Security Industry
 By
Dan Morrill
As much as I respect Bruce Schneier, and usually follow what he says with few if any questions, I think what he is missing with his speech in London is the Human Element.
Humans are flawed, and human creations are flawed, including software/hardware and societies.
LONDON--Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware. Speaking this week at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever." "We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure." Source: ZDNet
While he does have a point, it would be great if we didn't have to purchase security anything and I could retire. The problem is that we do buy systems that are inherently insecure, or we allow people to do things to systems that are inherently insecure. We do not live in a society or culture yet where everything that humans come in contact with must not be allowed to hurt us in one form or another. Computer security is no different, no matter how much stuff we buy, train our users, or try to develop secure systems, we fail. We fail because we are human, and anything that goes on online is also a human element.
The added attractor though is that the security people are often more likely than not still isolated from the main body of the corporation. The interaction of the security group is often seen as adversarial and many times it is. I have had projects stopped because of security people that would have perfectly fine using standard security precautions, but the other security folks wanted a faraday cage built around the buildings. Cost Effectiveness of Zero on that one, the scary part is that the security people we were dealing with were dead honest on that one.
It was that we needed to get business done, and the security department set themselves in an adversarial role, with no option to negotiate. Business did not happen, and over my career this has been the standard behavior rather than the exception.
Business needs security, but security that is reasonable and appropriate. Unfortunately the idea of "reasonable and appropriate" is a process that has yet to make it into the security industry in a major way. Not every company needs military grade information security, security on a sliding scale based on what data needs to be protected from whom and under what circumstances is what defines reasonable and appropriate. Given the environment of the internet there are things that every company needs, Anti-virus, Anti-Spam, and Anti-malware scanners are mandatory. From there on, depending on what needs to be protected should be the reasonable standard for what needs to be done. The society of the internet also helps define what is reasonable and appropriate. What threats does a company face, what actually is happening at the boarders is what helps define threat, which defines reasonable and appropriate.
While I would love to do away with information security, it would be like doing away with the police, firefighters and ambulance systems. We are front line keeping our companies safe, we use human constructed systems against a human constructed electronic environment. That is what we need to remember, we play a vital role in the internet society, one that would be near impossible to do away with.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
