I was doing my daily scan of Slashdot this morning when I came across the following article - The Failure of Information Security written by Noam Eppel. Embedded within all that doom and gloom is the following premise - security professionals have failed because our computers and networks are still not “secure.” Noam Eppel has shown us all exactly what is wrong our profession – Noam believes that we can actually achieve security.
Unfortunately, life isn’t that simple.
Secure: free from danger or risk
As every parent knows life is all about risk. No matter how hard you try, no matter what products you buy; your children will still get their share of scrapes, bruises, sniffles, and broken hearts. The wise parent knows that it’s worse to be overprotective than to let the child learn the important lesson behind that bruise – be more careful in the future. Parents understand the fundamental concept that Noam keeps on missing: Life is about living with and managing risk.
“The man who trades freedom for security does not deserve nor will he ever receive either.” -Benjamin Franklin
So as Information Risk Managers our guiding principle is to help our clients manage risk. Do car manufactures make cars that are safe? No. Around 40,000 people die every year in the US in car accidents – yet as a society we have determined that the ability to travel is worth the risk. We as individuals decide every time we get in a car that the reward out ways the risk. Car manufacturers attempt to design cars that are survivable in accidents – they don’t promise that you won’t get hurt.
When consultants sell “security,” clients go about designing applications thinking that the computer and network are “secure” – because security professionals fail to accurately assess and present the risks in basic business language that non-security professionals understand, design decisions that would make the system resilient when exposed to the risk are not made – and then some security professionals choose to blame the business for the "failure".
Web hacks are a great example. How many millions of dollars each year are spent by companies to protect against these “attacks”? How much money was spent by these very same companies to protect their buildings against spray paint? If your web site gets defaced do you really care? Well if you knew the risks up front and designed your web application to protect the customer’s information in spite of the web server being hacked then not really. A simple automated integrity check can trigger a scripted reload of the effected web server kicking out the script kiddy and restoring service – or even redirecting customers to non effected web servers while the reload happens. What can strike fear into the heart of the security consultant more then being replaced by a very small shell script.
Stuff happens. Our job is to help our clients deal with it.
No comments:
Post a Comment