| Recent
Articles |
Talking With Samba Team GPL Compliance Officer...
Simo Sorce is the Samba Team GPL Compliance Officer, hired by Red Hat in 2007 where he is a Senior Software Engineer, maintainer of Samba and expert on Windows Integration and Identity Management. Simo Sorce...
SharePoint: Back Door Storage Play
We've been a SharePoint user, of sorts anyway, since the original beta. I didn't think much of it, to be honest, as eventually it became a giant pain in the rump just like every other tree oriented file system - once you put a zillion things in it, and you can't find anything.
Lazy DNS
I had a call this morning from a customer who wanted me to come down because their mail server was broken. They had experienced an ISP outage, which subsequently was fixed, but their mail server wasn't getting anything still. I was actually ready to go out the door when I thought...
Apache Geronimo Should Be Included In BEA's Future
I just read that Carl Icahn owns a 8.5% stake, worth $426.5M, in BEA. He wants to see BEA sold in order to maximize shareholder value. While I can understand this point of view, I'd like to offer another option..
|
| Recent WebProNews
Articles |
Half Of Employers Block MySpace Or Facebook
Accessing social networks like Facebook or MySpace while at work may not be possible as research from Barracuda Networks indicates that 50 percent of businesses using Barracuda Web Filters are blocking the sites.
Facebook Welcomes Users To The Social (Ads)
Advertising arrives on Facebook in a way that socializes what people do with the products they use, and the relevant ads Facebook can place that cater to those interests. Facebook's disclosure of its Social Ads eceived plenty of attention from the tech world, spanning...
Whisper: Papers Plot Online Ad Network
Five major newspaper publishers may be ready to create a national ad network that will let them keep all of their ad revenue in-house. In gambling, the best money to play with is house money. The same goes for...
Organic SEO vs. PPC?
So, what’s it going to be? Spend the time and effort cultivating your organic search engine marketing plan or just offer up the cash and invest in a pay-per-click program? Which is better for you? Both? It’s a...
|
 |
|
11.08.07
We Need A More Flexible Sense Of Ethics In Information Security
 By
Dan Morrill
One of my greatest mentors in information security is the CISO of a major educational institution; he has served the information security community well, with honor and with distinction over his many years in information security.
So when he starts a conversation off with the idea that information security is losing the war, and barely winning any battles, it is time to sit back and think about what he is saying. It is also time to sit back and see if what he is saying can be incorporated into the greater run of information security patterns and practices.
Facing reality for an industry is always hard, and while we win our individual battles, we have our singular victories, the sad fact of information security is that we have grown hide bound, we have standards and practices that are good in general, and we have a number of really good tools. But what we do not have, at least not without a lot of social information security community correction are those hard gritty characters in information security that have adopted the motto "Think Evil Act Good" (TEAG). If you want to see who is winning the information security battles, it is those people who can think like the bad guy, they make their own tools 9 times out of 10, and are steeped in the process of risk management, they think like the bad guy.
The real problem is that they have a flexible sense of ethics, good in some ways, hard to adjust to in other ways. They know what is hack able because they have already pwnd it; they know if company data is on the internet because they have already Google hacked their company, they know if the new software is vulnerable because they have already tested it. It is that flexibility, the whole idea of think evil act good that makes for the best security engineers on the planet.
They are also very painful on organizations. They are painful for new technology, new products, and anything else coming into the organization because they immediately think of how to use the technology for evil. Trust me, the bad guys are already doing this, and if you are not, then as a security engineer, as a risk management professional, you are already behind the power curve. The whole concept of TEAG is that it is not the technology that is inherently evil, it is how that technology can be misused, or abused, or misconfigured to do things or allow actions that are inherently risky.
I know that every day I see new technology, and there are a number of standard tests that I will run that technology through when testing it. Anything web based gets scanned for vulnerabilities not just in the underlying OS, but everything that I can get my hands on, including the web command interface if it has one. I will share this information with manufacturers, but I also know that I will not be purchasing that technology, and for some reason I never hear from that manufacturer again. But I know that I have done my good due care and due diligence, and even if the technology is bought, I know how it breaks, and can work out a good risk management plan for it. The company knows what to look for, and knows what the influence is if the new system goes down, gets hacked, or gets compromised.
I know for a fact that many security engineers out there do not do something like this with all the new technology. I know for a fact that many of the security engineers I know are earnest hardworking people, busy putting out fires on a daily basis, that never get an opportunity to see the bigger picture of their organization. Some don't mind, some don't care, and some really want to know but are too busy doing fire fighting without the ability to tie all those fires together to work out what is happening organization wide.
This is where the idea of ethics comes into this picture, because I know that many security engineers do not test their own systems other than the general Nessus scan, they don't know what is really vulnerable on their network. The bad guys are smart, they will slowly selectively workout how best to target an organization, from personal e-mails with bad PDF's, to social engineering over Facebook about the company, they are everywhere and nowhere to be found. While the security engineers are busy fighting fires, and not thinking in terms of risk management, not knowing what the bad guys are up to, let alone if they are being truly targeted by hackers, scammers, and con artists.
The biggest complaint I see from business and Security engineers is the lament from both sides is that "they don't understand". Business is busy bypassing IT and IT Security because it is too slow, too stogy, and too much in the way. IT is busy saying No to business because they don't have the time, the skills, or the hardware to make business happen. Commodity computing and all that entails from commodity IT support to commodity information security, the times have changed, we need a more flexible sense of ethics to understand the risks involved in what business is doing, and we have got to start winning some of the battles.
The best security engineers are those that are able to take a look at systems and understand how they work. It is not a person who is tied to policy, secrecy, or standards and practices. The ones who do best are the ones who can be flexible in their beliefs, and have the ability to question and answer if the software is too risky for the company, or how it can be made less risky. So maybe it is time for a more flexible sense of ethics in information security, because the best security engineers I know already think like the bad guy, but know where to draw the line to act like the good guy.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
