Create an Account
username: password:
 
  MemeStreams Logo

RE: Seeking your Opinon, Are 1/3 of security practices worthless?
search
Home Agent Weblogs Social Network Post Help About

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Seeking your Opinon, Are 1/3 of security practices worthless?
Topic: Technology 1:26 pm EST, Feb 18, 2008

Tsudohnimh wrote:
Interesting article describing a talk given by "Peter Tippett-- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments."

Tippet uses several analogies concerning outdate vuln research and disclosure and the discarding of hackable technologies. On the surface this sounds good but I'm curious to hear the opinion of some of the security professionals in Memestreams.

Is he entirely off base? Does he make some valid points? Are his analogies far fetched?

I'd love to hear what you think.

Perennially, some self promoter, often a well credentialed and widely respected person, but a self promoter nonetheless, will stand up and claim that everything that everyone in the information security industry is doing is wrong and it all needs to change. These people are frequently discussed here. They usually don't have anything constructive to offer. I do my best to debunk them when they come up but people seem to want to hold onto these things. Its a bit like the fair tax... People want to feel like they are privy to a different perspective which offers easy answers to complicated problems and they don't want to hear that life isn't that simple.

As for this collection of points, you can rest assured that patch management people are more concerned about vulnerabilities that might actually be exploited than they are about issues that are esoteric, and scoring systems like CVSS take this into account. Is he proposing a change to that scoring system? No, we're on to another topic.

I'm not sure that I follow his point about passwords. You have to have them. I've always advocated proactive cracking instead of policies about length because that gets you closer to the actual threat you are combating. Rules about length are just an approximation. Does he explain what he thinks people should do instead? No, we're on to another topic.

I agree with his point about imperfect solutions still being helpful, and the analogy about seatbelts is a good one, but show me a perfect security solution and I'll quit this job, move to France, and learn to bake bread. He goes on to make an aloof reference to "studies" that show that patch management doesn't reduce the risk of exploitation. What studies? There are no such studies!

At the bottom he offers us his silver bullet: "For example, only 8 percent of companies have enabled their routers to do 'default deny' on inbound traffic."

What a silly comment. They do default deny on their firewalls, where the security policy is manageable, rather than on their routers, which aren't designed as packet filters and only offer that feature as an aside. Firewalls, and routers, are in fact the same thing. They both have the same basic job (which is to interconnect networks at layer three, and move traffic between them). However, firewalls are heavy on the security feature set (which is why you primarily use them for security functions) and routers are heavy on the routing protocol feature set (which is why you primarily use them for routing). Typically, gateway routers would have a firewall directly behind with no other devices in between.

The only sensible take away from this is that you should do more training. I agree. Most attacks target end user PCs, and people get owned because they do stupid things with their computers, and they aren't aware enough of what their computer should be doing that they hardly notice when they have a malware infection. However, when you've got exploits circulating in legitimate banner ad networks and on popular websites like MySpace, you cannot rely on education alone.

Perhaps there was more substance to this rant and it all got culled out by the reporter. I'm willing to hold off on final judgement absent actually seeing the talk or the powerpoint, but generally speaking, this isn't useful.

RE: Seeking your Opinon, Are 1/3 of security practices worthless?

Thread [2]


  
 
Powered By Industrial Memetics		RSS2.0