This was from a post I did on another blog at (http://feeds.feedburner.com/~r/Riskanalysis/~3/173775219/):
The lesson I have taken from history is that in the beginning security was real and tangible. Systems were in essence static and well defined boundaries with known inputs and outputs. If you wanted to use a mainframe in the 1970's you pretty much had to be hard wired into the system to access it. (Rare cases of dial-in which we all remember Capt Jack and the War-Dialers; which focused on long distance calling)
We are all stuck with management that grew up in that 1970's Era and who still thinks in those terms that information processing systems can still be defined, managed, and controlled. Let's face facts folks; most of us are subordinate in our organizations and rightfully so. We, the security practitioner, serve the greater good of our respective organizations. So we will always be in some form of conflict to whom we serve because of blissful ignorance, incompetence, and funding.
But let's look at the core driver in all this mess. That being change. Without change security is possible because all the known variables can be accounted for and performance can be tracked and reported with real confidence. Over the past 30 years the rate of change has increased at an exponentially faster rate. The time that a information processing system used to input and output data and the amount of data compared to what is possible today are night and day. Another way to put it would be the transformation of war from static Napoleonic warfare with fixed positions, static lines, and Aristocratic rules of engagement to what we see on the streets of Bagdad (Urban Gorilla Warfare).
So it is impossible, unless we all collectively agree to step back in time, to say that anything is secure. We are not g@ds who can see all things all the time. We are but men (and women folk) who only know what we know and are faced with the daily challenge of managing change. Those changes are forced by people who do not understand themselves, the changes they make, or the very technology they control. What makes this dangerous for us all living in an open and free society (USA) is that we are all connected now in some way and that the culture of indifference to one another and to just being responsible means that most of the management I have been exposed to doesn't want to be enlightened. They want to punch the clock, make the next bonus, and go home to an empty and meaningless life.
I write this with the conviction that if those in power, not us, truly understood even the concept of change/risk management we would not be having this discussion because folks would be taking systems offline faster than a car goes around the Indianapolis 500 track.
Fore these are the folks who ask "What do you mean I can't send company/government data to my Yahoo/Google/Hotmail account?" with the rational that "It's my email account and I have a good password so it's "secure" from other people getting to it" while exposing the organization to loss of confidentiality because the financial expense reports for 3000 employees just got broadcast over the internet (Which BTW breached privacy as bank account information could be included in expense reports for reimbursement.)
I used to believe in technology and had faith that people were essentially "good" but have come to a place where I see time and time again that people aren't "good" (which is not to say they are evil) but that most of the population is blindingly ignorant of even the most basic things and that compounding that blindness is the culture of indifference which dooms us all to a never ending cycle of pain (Hamster wheel of Pain). I also don't believe in technology as the "silver bullet" because who drives technology; Management Marketing type folks who sell, over promise, and under deliver. Always pushing developers and engineers to deliver half baked products because the "vision" is never in line with the reality. No one can honestly say that a single product out of the box can effectively manage the core issue without significant overhead and investment in tuning the product to environment.
Bottom line: There is no silver solution anywhere, just lead shot, and we are using slings when what we really need is semi-automatics. To truly solve the problem of "security" within the information processing world is to say that change stops now; which is impossible. To truly solve the problem of security we don't need to continue to escalate the "logical arms race" with better and better technology because that cycle feeds itself with attack v counter-attack; we need to transform the expectations of the people we serve.
By making the world understand that if you want to continue the culture of instant everything while paying next to nothing, from a dollars and sense perspective, that you choose to give up something far more valuable than mere money; you give up your ability of choice. So unless we slow down, accept less convenience, and choose to understand our world a bit more we are all exposed, vulnerable, and essentially naked to anyone who seeks to do us harm. Hence those of us who ride out (in our office chairs) keeping watch will be forever shackled to the hamster wheel of pain.
V/r PZ
No comments:
Post a Comment