I wanted to repost this funny blurb from Marcus Ranum in the latest Information Security issue. As usual, the high point of the mag is the Ranum/Schneier point-counterpoint piece.
1995) install firewalls
1996) punch big holes through them
1997) announce “firewalls are dead”
1998) install intrusion detection systems
1999) turn off all the signatures
2000) announce “intrusion detection is the pet rock of computer security”
2001) install log aggregation systems
2002) ignore them
2003) complain that intrusion detection still doesn’t work
2004) worry about data leaking from the network
2005–2010) give employees mobile devices
2006–2010) give employees direct-from-desktop Internet publication capability via Facebook, Twitter, etc.
2010) give employees control of their own IT—when is it all going to sink in?
Their topic was the widening role of consumerland devices and technologies being pushed into the enterprise, while security managers freak out. The realistic point is this is how change is made, and if your company doesn’t stay on top of new tech, someone else will. Sure, your risk will go up, but it’s a corporate decision and often the best we can do is educate management on the risks/costs, educate users, detect issues quickly, and responder efficiently when they do happen. Rather than lean on the brake as in Ranum’s excellent parting analogy. Still, even being aware of all this new tech is difficult, let alone trying to tackle the security of it…
Linked by Anton for an unrelated thing.