In May of 2006 I read an article by Noam Eppel on Security Absurdity, Why information security is broken, which can be downloaded here to read the original article.
Now he has posted his follow up article, on community comments to his article here . The community comments are an enlightening, informative viewpoint into what people are really thinking and really saying about the state of information security. Some of it is very scary to read, some of it is very good to read.
I am a believer that information security as we know it today, and as we practice is today is fundamentally broken. My article here essentially covered the things that I think could go a long way towards fixing the process, and addressing the problem. My beliefs do not an industry make, and I know that there are people with different beliefs, and that is a very good thing.
While I believe that information security is fundamentally broken, anything that accepts the current failure rates that information security has, as well as the broken tool’s that we use, and the idea that we are behind the power curve when it comes to “think like the bad guy then act good” are well known to readers of my blog. We accept Spam; we accept Trojans, viruses, DDOS as extortion, and a host of other things that we deal with on a daily basis. Many do not get information security, nor are they likely too. We operate in our own monoculture, facing the same issues, and our monoculture is in as much danger as any other monoculture out there.
Noam has taken the best responses from his note, and called them The Good, the Bad and the Ugly. In that the good are folks who know its broken and are doing what they can at all levels of the organization, state and federal levels. The Bad, those that see an issue as someone else’s, as in “if only they had followed best practices”, and the Ugly, those that refuse to believe that there is a problem, or stamp on folks who say there is a problem. The ostrich syndrome is alive and well in the Ugly side of the house.
My thoughts on the community feedback, and especially with Noam’s presentation of it, show a fractured industry. Where we are fractured along lines of belief, not lines of fact. We believe that we are doing well because we didn’t get hacked this year, and pity the poor company (many companies in 2006) who through some issue lost over 50 million peoples personal information in one form or another.
We pity the poor companies in Israel, England, France, Germany, Japan, India, China, the USA, and others who had confidential information stolen from their companies through insiders, Trojans, and a host of other chunks of intentional security violations, or self interest that lost companies their competitive edges, or in some cases, put the company out of business. These are just the ones that made headlines; we will never know the true extent of cyber criminality.
We accept flawed, sometimes deeply flawed security products as our first and in many cases only line of defense. We accept our monocultures of security products because they make it easier to manage, easier to maintain, and easier to train, and easier to shatter if the hacker figures it out.
We accept our certificates and degrees as the ultimate indicator that the security professional has a clue. We look at experience to round that process out, but in many cases, (and I have sat through both SANS and CISSP classes), the information is out of date, or talks about things that were happening years ago. Its very hard to keep on top of the security industry, its akin to quick sand, we sink when we do anything.
I highly recommend that everyone should read Noam’s community comments, if it does nothing else; it is an interesting view point into the minds of our security community leaders. It’s a once in a life time opportunity to read the unedited viewpoints that we have as a community, some of it is sad to read, however, in the grand scheme of things, the openness of our community to talk, and address issues gives us all a fighting chance.
Tag:
Add to 
Bookmark Murdok:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
