security articles to make your head spin

Are you looking for a security article that looks like it says a lot, but says nothing at all and ends up just making your eyes spin like that beer you’re going to chug tonight due directly to reading said article? Well, here’s four of them in succession! Just like those days in college with back-to-back-to-back-to-back vodka shots!

Over on the Tripwire blog, Pete Herzog guest writes several articles, starting with Three Ways Your Security is Actually Hurting Your Security. The other two articles are the second and third ways, but this one actually tackles: “You don’t know your attack surface.” Ok.

Second is Unbalanced Security is Increasing Your Attack Surface. It doesn’t take Pete long to get into two things. First, pimping OSSTMM. Second, spitting in everyone’s face who actually patches and updates software. He does both here.Oh, and we force in a mention about his own security awareness training event at the end. I’m not sure where security awareness came into this discussion before then.

Next is Security Solutions that Fight for the Same Resources. Honestly, I’m not even going to go over this one. I have no idea what it’s trying to say. But we do stream-of-consciousness our way back to security awareness and his own workshop.

But wait! It’s not just three articles. Despite only one comment on the actual articles, we have this admission: “…we received many questions and comments on what it all means. Questions like: What products do you need to…” Right. So this series continues by not answering these supposed questions with The Meaning of Security Hype. (Ho boy, the irony.) This one is fun, since Pete talks about how bad security marketing is and how they market you product categories like antivirus and antispam and firewalls and web app firewalls (that section is a mess), and antivirus again and then network monitoring. Nevermind the fact that his own standards categorize things.

Now, having read various posts from Herzog over the years, these articles are not surprising. He tries very hard to make sure that analyzing security looks as tough as possible, so big and complicated and broad and frought with analysis paralysis and the impossibility to get the right answers that you need something like, oh…ISECOM or OSSTMM, to make sense of it all to formulate an effective security plan. Oh, and yes, they’re Herzog’s products. Go figure. (Speaking of things that make your head spin and cause you to actually get nothing done, go check those out.)