Wednesday, February 24, 2010
Sure, it is THAT easy!
Two posts in a day...I'm probably sick or something like that :-)I was reading an interesting article by Bill Brenner on CSO Online, "Five Security Missteps Made in the Name of Compliance". Although I don't disagree with what is listed as missteps (in fact I think they are quite correct), something in the last paragraph caught my eye:"The best advice against all these missteps, experts said, is to simply slow down and take careful stock of where the company's greatest risks are. From there, companies need to take careful study of the security tools available to them and figure out before buying them if compatibility with the rest of the network will be an issue."Sure, it is THAT easy! Honestly, he just listed some of the hardest things to do in security. Ok, he is not saying that it's easy, but c'mon! Can you really say that in your business environment you have the option to "simply slow down"? i would love to, but that's something that is not always possible to do. just like checking "where the company's greatest risks are". This one is huge. And I must say that my perception about organization-wide risk assessments is ETI - Expensive, Time consuming and Ineffective. So, you'll have an idea of where those big risks are coming from, not a "careful stock of". There's too much uncertainty ou there and it's better to live knowing that there's a lot of things you don't know instead of dying trying to figure them out.You can conduct careful studies of the tools available, but the "corporate truth" is that in a lot of occasions you will simply work to deploy something that someone else bought or will have to deal with things that are not best of breed because they were part of a bigger deal/suite or simply cheaper. Finally, on checking compatibility with your network before buying, you'll only succeed 100% on that if you run a PoC in your entire environment...I mean, almost never. You'll have to deal with surprises during the implementation. Yes, you can avoid buying Unix stuff to run on Windows boxes, but in big organizations the number of combinations of hardware, OS, middleware, applications AND bizarre settings is incredibly high. Be prepared to deal with those surprises.The point is, Bill is right about the mistakes, but I think he is to optimistic about how to prevent them. Some of them are simply what we need to pay for working in this crazy field. Looking back they will look like mistakes, but most of the times we simply cannot do anything better than that. As I like to say, "it's acceptable to do stupid things, as longs as it is not for stupid reasons".
Posted by Augusto Barros at 1:02 AM