Greg YoungIf you aren’t a student of history, the Dark Ages were not what is thought of as a good time. Things were going downhill, with science and technology being forgotten in the general societal collapse in the early middle ages after the decline of the Roman empire: "sorry, can’t attend the Greek book club because a Visigoth is chewing on my tibia".
Superstition rampant, stepping a few rungs down Maslow’s ladder, the absence of higher learning and basic research, .. and I am talking about today in ITSEC. Welcome! May you live in awful, interesting and discouraging times.
What makes me think such heretical thoughts?
- Fellow Gartner analyst Neil MacDonald blogs about the malware hordes here, and we aren’t finding a way to handle the growing .dat and IPS signature lists other than by making small burnt offerings at the idol of Moore. (I am writing this offline as my PC’s eyes have rolled back and has started speaking in tongues during its increasingly longer daily AV scan).
- ITSEC is as formalized a profession as that of Carnies.
- There are very few post-secondary programs. Basic research is almost unheard of, and applied research is mostly throwing spaghetti at the wall from vendors. When is the last time you went to a conference and the topic (not from a vendor) was about research being undertaken?
- Superstition and myth are rampant. Today I got an email from a company telling me they don’t know what the Cornflikr worrm will do, but it is a threat and by golly they have products to help me. Will the witch float or sink? I always get it mixed up….
- Almost weekly there is a new information breach worse than the week before, and magnitudes larger than anything we would have thought up 20 or even 10 years ago. We weren’t naive: these really bad things should not be business as usual.
Let’s hope one day we can sit back and laugh about those really bad times.
Category: Uncategorized Tags:
12 responses so far ↓
1 dwaynedibbly March 25, 2009 at 1:34 pm
By-and-large I would suggest that the moribund state of the security ‘union’ you describe is symptomatic of a greater lack of enlightenment in the information age as a whole. I am of the opinion that sixty years down the road of information processing technology we are still shaking sticks at the sky and spinning Fortuna’s wheel. Old concepts need to be fundamentally re-understood in our federated, disseminated and forever-stored digital lives. It seems that remaining with our dearly held notions of identity, privacy, legacy, trust, interaction, nationhood and work is like living on a flat earth seeking philosophers stones or breathing the rarefied ether. Richer explanations of all are required. My feeling is that until we re-embrace the slogans of the enlightenment “sapere aude” and look at our existence with Cartesian rigour we can never reinvent the cogito for our age (perhaps – “I communicate therefore I am”?) and complete sun tzu’s ancient challenge “if you know the enemy and know yourself you need not fear the results of a hundred battles”. That they are urgent is clear. The danger is that the rehashed myopic authoritarian dogmatic epistemology of the middle ages is already casting its shadow anew.
2 Greg Young March 25, 2009 at 1:54 pm
Dwayne:
I think your comment is better than the post
3 dwaynedibbly March 25, 2009 at 3:57 pm
Oh, thanks, you’re too kind.
I was just getting inspired. I’ll start free-wheeling with this one. Take privacy as an example. In the olden days privacy was the default. Before we became (as Nathan Barley so eloquently put it) “self facilitating media nodes” your privacy was almost completely guaranteed unless you chose to realise your message in a broadcast ready medium and actually set about broadcasting it. Now, however, the situation is almost entirely reversed. You message on twitter is a matter of public record, google’s spiders will hunt down and index your blog, governments will look at the patterns of interactions or spy satellites and CCTV will look down on you with their electric eyes. If we think that privacy is something worth having (from both traffic and content analysis) then we need to define it as sacrosanct and realise a mechanism for opting in as required, regardless of platform – going off-record should be as universal a transactional requirement as ‘going-large’. As I’m sure you know covert channels exist in every medium you can think of it’s just a matter of patience until you find it and diligence when you use it. I say don’t keep covert channels a secret, be egalitarian in there use. In the future (may’be) the democratisation of the cult of secrecy will enhance privacy – available to all to choose at will (and not just as a perk of being a govt ministers, military personnel and/or (paradoxically) celebrities).
4 Naithan March 25, 2009 at 6:04 pm
The culture of ITSEC has devolved at exactly the same time as use of information via tools has evolved and become an extension of human sociology. The problem with this is that tools cannot compensate for human logic completely, and hence security tools and vendors cannot in essense build the perfect force field from human nature which by its essense likes to break things as much as it likes to build things.
We are now in an era where information moves faster than the earth spins in 24 hours and likewise threats evolve just as quick. This is where IT orgs must evolve if they want to survive.
The typical IT model has to die and security shouldn’t be some siloed practice in charge of security and risk to information.
Fact of the matter is, the groups that typically have least interest in security for sake of time (application dev and architecture) may end up being the de facto front lines by proxy.
Say goodbye to the warm comforting feeling of DMZ’s and firewalls.
The biggest threat to security in IT is still what it was in the dark ages, plain old bad human behavior, human judgment error, and naivety. Then of course the barbarians at the gate waiting to exploit the flaw in the castle builders design.
Practices > tools
5 Greg Young March 25, 2009 at 6:17 pm
Naithan:
I couldn’t agree more that people are the weakest link. The unavailability of technology is rarely a barrier in ITSec.
6 Greg Young March 25, 2009 at 6:20 pm
I am inclined not to try and reinforce that weak link but rather reinforce the strong ones. I think People 3.0 is no more secure than People 1.0, and patching them doesn’t seem to work
I agree that practices is good, provided that it is more than lip service (i.e. real config. control) and often is best when backed with technology (config managemetn tools that can validate the config).
7 Naithan March 25, 2009 at 6:50 pm
I think the key Greg is that IT has to understand that it isn’t securing data, it is securing philosophies on use and habits. One thing we have learned with the times is that ANYTHING can be broken, and chances are with time your toys will be broken by someone. Whether on purpose or inadvertently.
The key to IT sec isn’t becoming a paranoid watch dog, and encrypt the day lights out everything and require mufti billions of factors to authenticate, and dual controls everywhere, because then business cant get done.
it’s to build awareness that security is a practice and in as such the IT security “role” is merely a meeting point more than a spearhead. The IT org must continue to evolve and create security practices in every discipline of IT throughout the org.
Tools are just the foundation to build on, and yes they are very necessary, but if the house was built with poor materials, then when the storms of intruders come the house will fall at some point. Good news though, the foundation is still there.
Tools, compliance readiness, controls comprise three walls, but the fourth and most important wall is IT architecture and organization. That has to built in such a way that is made for secure practices with dedicated awareness builders for each practice.
just my humble thoughts anyway.
great blog, very inspiring.
8 dwaynedibbly March 25, 2009 at 8:01 pm
Naithan
As you rightly attest people are a perennial problem in ITsec. The challenge is to empower people with the mental models that will best protect them in our changing informational ecology. This is a monumental challenge (as Bruce Schneier give the examples the adoption of seatbelts in cars, or cigarettes and cancer both of took a significant length of time to turn a new and better model into actual widespread behaviour). We are only just seeing the first generation for whom the internet is a fact of life actually appear the work place and, as yet, I see little evidence that people have got wiser. The skew between understanding and ecology has made the opportunities for the exploiters huge (from thiefs to FUD merchants to entrail viewing industry prophets). Unfortunately wondering around blaming the people isn’t the solution, for we are the people. As professionals we need to be exemplars, as Karl Marx has on his tomb “The philosophers have only interpreted the world in various ways – the point, however, is to change it”.
Greg
Re:tools – in the hands of a virtuoso the tools, no matter how limited, will sing (Bob Dylan’s voice for example). I would love to see a personal firewall that self samples the information locality and amends it rules efficiently reporting to us only exceptions – I already have one for my other computer (it’s called an immune system).
9 dwaynedibbly March 25, 2009 at 8:10 pm
Ouch, just fell off the soap box……..
10 It Doesn’t Matter How Many Raindrops There Are, It is All About How Wet You Get March 26, 2009 at 8:04 am
[...] Young of Gartner posted here about the sorry state of security - but is that really the [...]
11 Rob Lewis March 27, 2009 at 2:35 pm
Hi Greg,
We are a vendor that does basic research, and not just in security. Do you really think it matters? No one else seems to.
12 Greg Young March 29, 2009 at 11:40 pm
Hi Rob:
My comment was intended to be about criticizing the absence of basic research outside of that by vendors rather than within it.