Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, February 22, 2005

Superficial Security

Too many organizations deploy security technologies because they feel they have to, yet they often leave them so poorly configured that they do more harm than good.

In a new book, “Business Under Fire: How Israeli Companies are Succeeding in the Face of Terror—-and What We Can Learn from Them,” author Dan Carrison interviewed consultant Danny Halpern, who said, “In Israel, I believe we invest more in the quality of our security people and less in the mechanics.

In America, because of the huge numbers, the investment is in the mechanics—-the system—-and then they hire minimum wage security staff.”  This focus on mechanics has brought us the turf wars between the CIA and FBI, elderly women being forced to remove their shoes at airports and other counterterrorism security nonsense.  Similar nonsense—-the result of merely going through the motions of physical security—-exists in information security.

Security guru Marcus Ranum made this observation to me about poorly configured firewalls and noted that “eventually, if enough data is going back and forth through your firewall, it is no longer a firewall, it’s a router!  Deploying security products without first performing such an assessment is like taking medication without knowing what disease you have.  Effective risk assessment and analysis ensure that your organization is dealing with real threats.  The fact is, the most dangerous threats come from inside, contrary to the widespread perception that they come from the outside.

Hundreds of millions of dollars were wasted on PKI systems because organizations deployed them without understanding what their problem was or what a PKI system could do to solve it.

Too often, organizations go through the mechanics of purchasing and deploying security software and hardware items without knowing why.,1759,1765060,00.asp

Posted on 02/22