Monday, February 20, 2017

Back to basics in information security Proven year after year but apparently unattainable for many

Back to basics in information security Proven year after year but apparently unattainable for many


Im often wrong about many things in life...just ask my wife. However, Im feeling a bit vindicated regarding my long-standing approach to information security: address the basics, minimize your risks.

You see, more and more research is backing up what Ive been saying for over a decade. It what was uncovered in the new Cisco 2015 Annual Security Report. [i.e. "Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches."...among many other things.]

The new Online Trust Alliance report found the same things.

CyActive had similar findings as well in their new study. ["Some of the worst attacks of this year could have been avoided, saving companies, governments and consumers millions of dollars" ... "Unfortunately, reactive defense remains the common denominator today, despite the overwhelming evidence of reused and recycled components seen in the most notorious attacks."]

The brand-new Trustwave State of Risk Report backs up this reality, and does so every year. [i.e. "60% run external vulnerability scans on critical systems (third-party hosted) less frequently than every quarter. Meanwhile, 18% never perform penetration tests." Ill venture to guess that 80+ percent of organizations are not looking at all of their systems that count...]

The same goes for the Verizon Data Breach Investigations Report.

Ditto for the Chronology of Data Breaches...on a daily basis.

These results combined with what I see in my work and Im even more convinced that if we focused on the basic principles of information security such as the ones I listed here six years ago, what I wrote for SearchSecurity.com in 2004, many of the concepts we learn during CISSP training...not to mention the ones listed in these two publications:
  • Security, Accuracy, and Privacy in Computer Systems, by James Martin (Copyright 1974)
  • Saltzer and Schroeder’s The Protection of Information in Computer Systems (Copyright 1975)

What gives!? Whats it going to take to fix our security problems?

No thanks, Øbama, we dont need your approach to continued government growth thatll fix information security no more than your "healthcare" law has fixed healthcare.

Im not convinced we need a federal data breach law, either (thanks anyway, American Bankers Association). I believe we have enough laws on the books for now...

What were seeing in information security (i.e. people who ignore the basics and end up perplexed by why bad things keep happening) is not unlike what society does with social issues. Every generation has their own ideas on how to fix the worlds ills (namely passing more laws and redistributing more wealth) but were still not focusing the essentials that have proven to work across generations (i.e. free markets, lower taxes/regulation, coaching people to believe in themselves, etc.) and, thus, the problems continue.

As Jim Rohn once said: Success is easy, but so is neglect.

The title of this recent SC Magazine piece on the subject says we need a new approach. I respectfully disagree. We need discipline.

What we need to fix the security challenges we face are people willing to stop buying into the hype brought forth by vendors and analysts, especially those who stand to make money off of their shiny new products or services - not to mention the self-proclaimed security ninjas and cyber warriors who know everything about security, in their own minds. We then need these people to acknowledge that merely 20 percent of their security vulnerabilities are creating 80 percent of their problems. Finally, we need people who are willing to be leaders and step up do something about these weaknesses....

Otherwise, step aside and let someone else do what needs to be done.

I know its not that difficult. I see plenty of organizations who are successful in security. The problem is that most are not.

As Ayn Rand, author of Atlas Shrugged said, You can avoid reality, but you cannot avoid the consequences of avoiding reality. The time to start recognizing history and learning from other peoples woes is now. Use your power of choice...Dont be a dodger. Confront the issue, fix it, and get this behind you once and for all.

Available link for download

Posted by at
Labels: , , , , , , , , , , , , ,