Showing posts with label Security Twits. Show all posts
Showing posts with label Security Twits. Show all posts

Thursday, May 1, 2008

Defense in Depth?

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security.  At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:

"sold"

Ah, this angle works for me.  As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could.  Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth.  The layers have to make sense and work together.  bandage

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.

  

 

 

beating_a_dead_horse Wouldn't that be nice?  We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.

 

 

 

Jack

Posted by Jack Daniel at 9:34 PM 0 comments
Labels: , , , ,

Monday, April 28, 2008

Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

  • Focus on the things you can actually accomplish.
  • Accept that we really do need a "Plan B", (and maybe C, D...) 
    • Work on those plans.
  • Prioritize work based on real exposure.
  • Think about risk
    • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

Posted by Jack Daniel at 10:33 PM 0 comments
Labels: , , , , ,

Thursday, April 17, 2008

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.


Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

Posted by Jack Daniel at 11:22 PM 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)