dan morrill on ethics in information security

I’ve been so terribly busy this past few weeks that I’ve not been able to keep up much with the blogs and news out there! However, one article I am very glad to have gotten to is a quick read from Dan Morrill that touches so many pain/pressure points for our industry. Need a conversation-starter with your fellow geeks? Pick a paragraph from this post and start yammering. Basically, this post is our life in a nutshell right now.

My only concern is how we actually can win battles. I guess I should define that in this case I consider the enemy the attackers. The only way we can truly win against them is to catch them in the act and shut them down. Defending against their attacks is nothing more than being a hockey goalie slapping away on-goal shots. We’re not often allowed to cross the line in the center and delve into the attacker’s territory, at least not with the blessing of our organization unless we happen to work for law enforcement.

Of course, one can attack this position by modifying my definition of who the enemy is. If our battle is against the attacks, we certainly can win battles, many of them, and make progress. We can limit the attacks that affect us or that make us worry, deflect the ones that we do have to worry about, and detect the ones that make it through our gauntlet of defenses. We win battles every day when a random IP fails to brute our SSH server, or scripts/root.exe fails to execute against our web servers.