Saturday, January 30, 2010

Theory != reality in Infosec too

I was reading a nice post from Gunnar Peterson about APTs. His making the point that everybody is excited about this "oh huge threat oh oh" stuff from the Google x China incident but in fact we should be worried about properly engineering the systems we depend on. I like his analogy of blaming the big bad wolf instead of the house of straws.But you know what? I think that my current depressed state has changed my way of thinking about security (or changing my way of thinking about security is making me depressed...). I agree with him that the source of the problems is bad security from the deep of the systems we rely on Today, bad (or no) security design in general. But I just think this is a problem we cannot solve. We can see the same issue on several other disciplines, old design and decisions being perpetuated in a way that causes issues to current stuff. However, revolutionary approaches are not (or are almost never) possible due to the way that economy and society works. The technology evolution is also so fast that it would require too many revolutionary processes to solve the recurrent problem of old decisions based on premises no longer valid causing problems to the current state. We simply cannot afford burning everything to ground and start fresh again. All these things are competing for resources and it would be naive to believe we could just choose to build everything with the perfect design.Gunnar uses the example of the Chicago reconstruction after the great fire. I think it is a great example, but it doesn't fit exactly his intention. It shows that once something out of your control happens and puts everything to the ground, you have the choice to start fresh and with a better design. Now, how many times have you got the opportunity to start something from scratch in IT? Hey, wouldn't it be nice to build an OS with no backward compatibility concerns? Ask Microsoft if they don't dream with that every night! :-)Gunnar is asking for something right that is just not practical. Maybe I'm being too cynic and conformist, and I believe we need people who push us to take those revolutionary roads, but when someone does that is usually the exception and not the norm. Those who are dealing with real life issues need to be pragmatic. Yes, we need to protect our straw houses.What I think is more important from Gunnar's post is this line:"The boring stuff is what's important"That's different from trying to re-design everything. There are lot's of boring stuff that we need to do to protect the straw house :-) My first and main example is access control. IMHO there isn't anything more boring in Infosec than Access Control - access reviews, entitlement reporting, fire IDs, privileged accounts tracking, wow, those things kill me. But I must say that doing those things properly will probably reduce a lot more risk than buying the last pretty-pizza-box-with-blinking-lights. The problem will be finding smart people who enjoy that enough to that properly. Today's biggest challenge in Information Security is to find smart people willing to work with boring stuff.That's my last line from my "back to blogging post". Wow, I've just noticed how much I miss doing. Ok, I'm back :-)

Saturday, January 16, 2010


This is a information security blog, but it's also an opportunity to talk about an important cause. Please, take some time to donate (even one dollar) to the victims of the earthquake at Haiti:

RED CROSS: www.redcross.caWORLD VISION CANADA: www.worldvision.caUNICEF: www.unicef.caSALVATION ARMY: www.salvationarmy.caMÉDECINS SANS FRONTIÈRES: