I have not done a philosophical security blog post for a long time – and now I was suddenly inspired to write one while installing – rather, replacing with an HD version – security cameras at my house.
Given the house we have, I can imagine a physical security setup where every possible entrance (including second floor windows) and every camera is in the view of at least one security camera. That will take between 12 and 16 cameras. Coupling this with tamper-proof camera enclosures and protected cables, as well as smartly placed indoor cameras and a couple of hidden devices, one can … waste a lot of money.
Am I doing this? No, I don’t! I just want coverage of common ingress points [into the house] and a degree of assurance that a casual “attacker” (i.e. burglar) will be caught on camera at least once and the images would then be available to the police.
My focus here is a commodity attack, not a targeted one. Making a regular house resistant to dedicated burglar is an impossible affair, and the law of diminishing returns kicks hard – and early (I also have a dog — and not just any dog …)
In any case, why all this? I hear that many organizations developed a sudden, vendor-marketing-infused interest to fight advanced and targeted attacks. But guess what? More than a few of said organizations actually aren’t that good at fighting basic, commodity attacks – and they are NOT improving.
So, it is a free country and it is [in most industries] legal to really suck at infosec / “cyber.” However, I find it highly illogical and, in fact, wasteful, to attempt stopping or detecting an advanced attacker before you managed to succeed with a common one.
Along the same vein, I worry about people who are “concerned about targeted attacks” but lack any ability to tell that “yes, this attack IS in fact targeted” and , moreover, lack moderately effective defenses against opportunistic attacks in the first place.
So, yes, advanced attacks ARE real. Persistent threats ARE real. 0h-day-wielding state-sponsored superhackers ARE real. But, by god, why focus there if you can barely detect a more traditional intrusion, one that utilizes mid-1990s style tools, exploits and tactics!?
Focus on improving your security maturity – not on randomly picking high-maturity tools (like NFT) and practices (like hunting) and then declaring success! Before you buy another “anti-advanced-anything” box, THINK – are you handling the basics well already and, if YES, what is the best direction for improvement from your current position?
Blog posts tagged “philosophical”:
- Critical Vulnerability Kills Again!!!
- Security Essentials? Basics? Fundamentals? Bare Minimum?
- On “Defender’s Advantage”
- Security And/Or/Vs/Not Compliance?
- Bye-bye, Compliance Thinking. Welcome, Military Thinking!
- Security Chasm Illustrated
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Fundamental Principles of Software Asset Management
Whether you've got too much software or not enough, uncontrolled software costs are a drain on your IT department, consuming resources...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.