This topic has been buzzing around in my head a while now, and is finally ready to trickle out. But first, I need to set the stage. (This is going to sound more preachy then I intend, and has also become the unfortunate victim of me being interrupted a couple times at work and unable to put all of this down coherently…sigh. )
– You are never 100% secure, nor is there any silver bullet device, application, or methodology to security in this information age.
– Technology keeps moving at a fast pace, faster than it takes for any security team to dig solid trenches and fox holes and fortify the hills.
– And it keeps getting more complex, sometimes piling more complexity on top of insecure technologies. Complexity yields less security.
– Just today I read a couple doom-and-gloom articles by Richard Grimes, one recent and one from a few months ago. He has a point that security is largely lip service until AFTER “the big one.”
– Also some talk about more appropriate consulting and pen-testing from Dan Morrill and Wendy.
– Let’s face it, with so many different technologies, business needs, solutions (in-house and out-house), people, and problems, no two corporate networks are alike. Not even close.
Based on all of this, I am convinced of a number of things. First, we should all continue to share as much information as possible, and keep working at those communication lines. One thing that I don’t think there is enough of, is on-site tours and demonstrations. Case studies are one thing, but get me and some buddies in the industry into each other’s NOCs and systems and let’s see first hand what is working or not working. I would love to see how a company like Boeing manages and works their campus wireless systems. Yes, it might be a security concern to let me know, but like Schneier would say about crypto algorithms, if disclosure hurts it, it’s not secure anyway. Many corps have some excellent processes and setups, but they can never get talked about in meaningful ways that can help the rest of us. This is one reason I would love to become a pen-tester, assessor, or consultant…so I can see these solutions and build upon other people’s hard work and loving efforts.
Second, we need to look to securing our own islands first, before we’re going to be able to help with the whole world’s picture. What works for one island may not necessarily work for another island. We need to be aware of that, such that not only is there no one device or application that can give 100% security, but there is also no such device or application that is appropriate for all environments (something the sales people don’t understand). If we can’t handle the microcosm of our own networks, we have no hope to make sense of the macrocosm of the Internet and the world’s networks. Your island may be the only place you’ll be able to experience a wave of security nirvana…at least for a few moments. Besides, if internally we are unable to quickly show who has access to our client XYZ’s data that we are a custodian of, how can we begin to counsel other islands on how they should handle information?
Third, we need to fight the battle of complexity. Technology will move on and keep getting complex, but many attacks and defenses and competencies of security and security professionals remain grounded in simple basics. We need to keep those basics at the forefront of our minds, not make the security process so complex that we all stand up so high on rickety scaffolding as our foundation to climb to the clouds. Yes, it can be complex and full of frills and thrills, but never compromise the basics for those complexities.
Yes, security seems like a losing battle, but that is what makes this field exciting, ever-changing, a challenge, and a solid career. 🙂