Wednesday, January 09, 2008

Stephen Northcutt weighs in on security predictions (sort of)!

An interesting and somewhat inciteful posting by Stephen Northcutt, the boss over at the SANS Technical Institute. Instead of doing his own predictions he has "borrowed" others.

I would like to take a chance to comment on some of these:

"Apple Will Gain Significant New Market Share"
While I expect that Apple will gain market share (I know I am hoping to go back to one), I can't see it being huge over the long term. The problem is that the people who are going to Apple are tech-savvy people looking for something better, and I expect will also have a Windows computer around. The problem is the "unwashed masses" don't have the ability to realize that there should be something better than Windows, nor are they prepared to look past the mountains of software available for Windows to make an informed decision to go to a computer system which is easier to use and easier to live with.

Information Centric Security Phase One
I have been trying to convince people to make this shift for years. Unfortunately through whatever fault decison makers aren't prepared to look past security FUD spewed by the security vendors and do a proper risk analysis. I think if you start looking at your information and classifying it you will be drawn to the conclusion that the hard crunchy shell with the soft interior is no longer applicable. The concept of perimiter security was great for its time, but it comes from a day when very little information was available online and the perimiter protected a few machines. But this is a different world, most companies are 100% connected, and all of their crown jewels live on or is accessible from their corporate LANs. The volume of information available via a breach is astronomical compared to when the perimiter security was conceived, and the sensitivity of the data stored on your corporate network is scary. It does not make sense to cast all data with the same brush any longer. Most information generated by the average corporation is mundane...however some of it is critical and the loss of that data can be fatal or at least severely harmful. Doesn't it make a lot of sense to start focusing security on the data and making sure the critical assets are better protected than your mundane information?

"even more paperwork will be devised by the clueless trying to help"
It sure seems the longer I am in security the more this is true. Nowadays it seems we spend more effort checking to see if we are compliant with whatever legislation or standard is sexy this week and less actually getting compliant, or better yet, getting secure! Standards are a wonderful thing to measure against, but the fact is they are a minimum set of controls which are great as a starting point. The fact is they don't represent reality, and they certainly don't represent your environment. We would all be better off if we spent less time doing compliance, and put more effort into doing what makes sense for us!

No comments: