Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches cloud computing compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pentest phishing php Privacy rant reference software ssl sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security wireless xss

 — Next article »

We’re secure because…

August 5th, 2005 Posted by D Webber

“…we installed anti-virus.”

“…it’s behind a firewall.”

“…we have an IDS.”

“…we use a VPN.”

“…we finally got PKI to work.”

“…we installed a network intrusion prevention box.”

“…we installed host intrusion prevention software.”

“…it has Common Criteria certification.”

“…the product is from [insert big company name]”

“…the person who built it has a CISSP / CCSP / CISA certification!”

“…it’s encrypted with SSL / 3DES / AES / PGP / other crypto method.”

“…the source code / algorithms / network layout / passwords are kept secret.”

“…it uses two-factor authentication: a username and a password.”

“…it uses two-factor authentication: a smart card / SecureID / some other scheme”

“…I couldn’t hack into it, so no one else can.”

“…our tiger team couldn’t hack into it.”

“…no vulnerabilities were found by Nessus / Retina / Cybercop / some other tool”

Does any of this sound familiar? These are all claims we’ve heard over the years in dealing with IT security.

Often the first obstacle of IT security is overcoming what security guru Bruce Schneier calls “security dust”… the myth that security is a matter of buying the right appliance, using the right crypto, or hiring someone with the right letters after their name: Sprinkle enough “security” around and everyone can get back to business.

The thing is, security is part of the business. It’s an ongoing operational activity like accounting. No one would claim their organization’s finances have been “accounted” then eliminate the accounting staff. No one would claim that just buying an accounting package recommended by a consultant solves the “accounting problem” forever.

Yet this is what we see with security: organizations buying products recommended by a salesman or “expert” then never thinking about it again… until they get hacked or suffer some other loss then the process starts again.

Like accounting, security is a process, not a product. This may be shocking news, but there’s no product you can buy and no person you can hire that will make your organization’s “security problem” go away. IT security an ongoing operational process. It needs skilled individuals doing daily tasks, regular evaluation of processes being used, plus audits and other checks to ensure that no errors have crept in.

Security isn’t a product, but it’s not magic either: it is possible to define policies, create procedures, gain knowledgeable people and find reliable tools to make the ever evolving process of IT security manageable.

The first step in getting there is to stop believing in security dust.

Derrick Webber, Director
Advosys Consulting Inc.

Posted in Myths & misconceptions |
Tags:

Comments for this article are closed.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.