general insights, security context, and learning from mistakes

Two general lessons in infosecurity came past in articles via infosecnews today. These will sound familiar, since I’m sure I mention them often, but I’m feeling particularly introspective this week (usually this happens in the autumn; I’m a little early this year) and getting back to simpler basics in life and thought for a bit.

Federal Air Marshall Service Blackberry enterprise servers are behind on patches. First, welcome to the real world, and good job raising the issue of missing patches. Second, how big of a deal is this? For instance, are they BES patches or Windows patches on a system that can’t be reached via vulnerable ports (or the monthly critical IE patches)? In one case I care, in the other, it’s less a problem. This illustrates how contextual so much infosecurity is, and how easy non-technical (or technical yet misguided) people can warp efforts and perceptions. This is why checklists and scores can be a hindrance.

Hacked cybersecurity firm HBGary storms back after ridicule fades. This is a neat story, and I’m not entirely surprised by the results, considering the drama occurred in a a separate sister company. But it does illustrate that we learn from mistakes, and our security will improve after insecurity incidents. At least, we hope so. I think this is still hard in an institutionalized large enterprise, though (i.e. how much will Sony truly improve versus an HBGary?). Of courses, there are many lessons here, like make sure if you sell security you practice what you preach, you know your threats even as they change, know what security incidents may impact your company and how they will be felt, and so on.