Having been in the game for a long time, I well remember when security was not taken very seriously, a minor technical issue. But its sure getting a lot of attention now. It seems like every day, there is a new front page story and/or lead editorial in a major publication. Today it was Richard Clarke and WSJ's turn to bang their shoes on the table for cybersecurity, Clarke concludes the Pentagon " is failing in its responsibility to protect the rest of America from Chinese cyberattack."
Clarke also asks "Since defensive measures such as antivirus software and firewalls appear unable to stop the Chinese penetrations,does the administration have any plan to address these cyberattacks?"
The sad thing of course is that the examples he gave - firewalls and anti virus - are what Infosec teams spend their money on and they think this will do anything whatsoever to stop attackers. The infosec technical debt clock is at 16 years (5,675 days to be precise) since the last field deployed innovation. What attackers do 1995 defenses stop? People who have been asleep since 1995? Unfrozen caveman attacker?
"Your giant Network address translation boxen frighten and confuse me!"
"arrrggghhhhh!!! None of my attacks work on port 80!!!"
Speaking of hitting the snooze bar since 1995, here is a blog I posted last fall that summarizes how far infosec spending is removed from reality.
Reconcile This
I had to check the date to make sure that it was't 1995 when I read this:"The survey of IT pros and C-level executives from 450 Fortune 1000 companies -- commissioned by FishNet Security -- also found that 45 percent say firewalls are their priority security purchase, followed by antivirus (39 percent), and authentication (31 percent) and anti-malware tools (31 percent)."
And what threats are these IT Pros and C-level execs concerned about?"Nearly 70 percent say mobile computing is the biggest threat to security today, closely followed by social networks (68 percent), and cloud computing platforms (35 percent). Around 65 percent rank mobile computing the top threat in the next two years, and 62 percent say cloud computing will be the biggest threat, bumping social networks."
Let's see what do mobile computing, social networking, and cloud computing all have in common? Oh yes, they all bypass the firewall's "controls"!How do you reconcile spending on something (firewalls) that does not address any of your top threats? This dichotomy is infosec's biggest problem. We have plenty of good controls and processes to use, what we don't have is enough talent in infosec to integrate them and put them to use.
Infosec has failed to deploy and deliver innovation and improvements at scale and the headlines are a daily reflection of this.
2011 Mobile Computing = SSL & Firewalls.
Posted by: Alex | June 15, 2011 at 10:20 AM