Tuesday, October 28, 2014

A Security Homily

A compendium of great security statements:

Security is nigh near impossible.  It’s extremely difficult to stop a determined adversary.  Often the best you can do is discourage them, and maybe minimize the consequences when they do attack. Why does this statement ring true? Because most people will assume everything is secure until provided strong evidence to the contrary; exactly backwards from a reasonable approach. The confidence that people have in security is inversely proportional to how much they know about it. If you’re not running scared, you have bad security or a bad security product.

People lacking imagination, skepticism, and a sense of humor should not work in the security field. If you focus mostly on the threats, you’re probably in trouble. And we always forget that low-tech attacks work, even against high-tech devices and systems. We know that people and organizations can’t keep secrets. The insider threat from careless or complacent workers exceeds the threat from malicious insiders; though the latter is not negligible. In the end, it all boils down to this: The problem with common sense is that it is not all that common.

Do we have any hope of winning the battle for good security and acceptable privacy?

Thursday, October 16, 2014

In the Beginning...

What My Career in Information Security Has Taught Me

  • Every member of the online world is responsible for security of the whole.
  • Do no harm; never use a computer to harm others.
  • Do the basic things perfectly: You've got a ton of room to screw up the hard things.
  • Protect critical data, everything else will take care of itself.
  • Never assume you aren’t a target; crimes of opportunity occur in cyberspace too.
  • Geography has nothing to do with your attack possibilities; connectivity and bandwidth do.
  • Once you put something in cyberspace, it is there forever, even if you thought you deleted it.
  • Any new security tool will introduce new vulnerabilities; factor this into the analysis.
  • Good authentication is hard and passwords are not an effective authentication tool.
  • Live by example; never ask someone to do something you aren’t willing to do for security.