One has to wonder if this is the year when someone mentions security and we get a collective guffaw or is it truly a case of people are starting to pay real attention. I like to believe the latter but then I see article from Dark Reading on an Ernst & Young Report "Security is Still an Afterthought..." and I am not sure. Certainly attention in the media can be a good thing in that it should get people thinking. I certainly start thinking when I see news of breaches, attacks or vulnerabilities - "Do I have to worry about my environments?" "Is this an opportunity to share knowledge?" or "Is this an opportunity to look at a system differently?". Part of the issue I have with the coverage though is that there is usually the sensationalist article "<insert technology here> is Broken" and it gets mainstream attention and explaining to people the real story then takes lots of time.
Experience has taught me that it is not always a case of technology being broken. Now grant it we have had those cases but generally speaking what we have seen lately is not technology being broken but technology being poorly leveraged or poorly implemented. Lets take some examples:
- The RSA breach: Why was it as bad as it was? Well someone had left critical data on a networked computer. Is the RSA two factor solution a bad technology - NO! Did the implementation of their infrastructure have some fundamental design/implementation issues - YES.
- The Comodo attack: Is PKI a broken technology - NO! Did Comodo miss some fundamental implementation rules be not having strong multi-factor authentication for their RAs and not having back-end checking for domain use during issuance - It certainly looks like it.
- BEAST: Is SSL/TLS a bad technical specification - fundamentally NO! Have browser, server and other vendors that leverage SSL/TLS done a good enough job in keeping abreast with updates based on enhancements to the specification - obviously NOT!
So what do we learn from this - yes we do need to pay attention to the press, whether it be a trusted blogger or trusted news source. The data that they deliver though is only one piece of the picture so we need to make sure we take that data, add to it and then assess what it means in our personal, corporate or organizational content.
It is an old adage but it is not just technology - you need to consider the people and process around it. That includes education, policy, implementation and all the other elements that make up a good security plan.
So CL you are safe - the sky is not falling - but make sure you are looking all around you and not just up - problems can come from any direction.
No comments:
Post a Comment