Thursday, November 23, 2006

More Security Absurdity

Noam Eppel has posted his rebuttal to the commentary from his now legendary (if not infamous) Security Absurdity article. Noam is not apologetic, nor should he be. He states a lot of things that I whole heartedly agree with. Here are a few nuggets from the article...

"Security Professionals are in the best position to create change and that is why we are responsible for this situation."

"I think the security community needs to redefine their definition of success. And I think they need to understand the unique position they are in to improve security and to accept that responsibility."

"In order for Best Practices to be relevant, they need to be attainable, practical, implementable and manageable. Today's security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing....Security is a process to be evaluated on a constant basis. There is nothing that will put you into a "state of security" - no best practice, no security guideline, no security checklist."

My idea of security is that a user should be free to conduct, "normal and common" activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities - i.e., parks in the daytime on a busy street and locks it with a good security system - then that is normal and common behavior and a crime should not be expected."

The solution won't be easy, but it begins with participation and collaboration between all of the groups involved in security and ends with an Internet that looks much different than today. Each player has a part to play...Software vendors, security vendors, lawmakers, executives and most of all the security practitioners. Ultimately the key to any solution involves the active participation of the security community.


No comments: