Tuesday, November 30, 2010

Defense Has Value

It is quite common to here "defense is dead" when thinking of information security today. This trite phrase has some truth, but is also off target in some ways.

The idea of defending a single point and being "secure" is definitely dead, though it was really never alive in the first place.

The idea of improving defenses to the point that your network or enterprise is harder than others to attack is a worthwhile effort and remains quite alive.

Work on improving your defenses. Don't stop because a vendor promises a tool that is a "completely new approach". Solomon really was right, even when applied to information security. "There is nothing new under the sun." :)


Are the Threats Really Different?

I am currently watching a webinar about the current Internet threats. One thing that immediately jumps out to me is that it doesn't really seem all that different, just more of the same. We aren't watching actions on the systems with sensitive data sufficiently.

Everyone still wants a silver bullet, a single chokepoint where we can put defenses and relax. While this would be a great thing to have, it doesn't exist and we need to clue in and realize that.

This truth has been around for a long time, we are just now realizing it. It is quite common to hear "perimeter defense doesn't work anymore," but I am not sure it ever really did. It just blocked some low-level threats, which "worked" without really solving the problem. The low-hanging fruit is always going to be the simplest and easiest. What we consider "low-hanging" varies over time. Thus we will always be strengthening things, but it ultimately comes back to the same thing: Protecting systems with access to sensitive data. The methods will get better over time, Avoid mere vendor hype, realize this is a fact of our lives in the information security field.

Tuesday, November 23, 2010

Getting People to Think Securely

One of the most enjoyable parts of my previous work for a large airline was working on the security awareness efforts. While it was not as large as I would like, I did get to write up a monthly mini-article/hint/tip and I enjoyed finding ways to use real-life things to help readers be more secure in the things they did.

This did take more time than I think many realized and writing effective communications is often more like creating art than performing an engineering task. Finding the proper "muse" to express a meaningful point in the allowed space is a major challenge.

I would encourage all organizations that do not have any awareness efforts to at least start copying or creating some basic awareness articles. SANS has some great tips as do other sources.

Even small tips helping employees be safe in their own computer use can flow over to the workplace and make everyone more secure!