Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


CHICKENS COMING HOME TO ROOST - 2011 EDITION

My views on information security has not been something I have been quiet about in the past, but I was .. intrigued .. yes thats the right word by a few articles I read recently. Let me share some of it:

The report adds: "The definition of a successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage.' Assume your organization might already be compromised and go from there."
Address : <http://www.networkworld.com/news/2011/080811-apt.html>

Why? It’s simple - most of the security professionals are tired of being hamstrung by C-level executives and frustrated that their employers are content to be only as secure as the auditor says they have to be. Who in the industry hasn’t heard senior management go so far as to say they’d be willing to take the “hits” from fines than pour dollars into compliance mandates whose utility is questionable? The mindlessness of using regulatory compliance  as a information security ceiling hurts both the ego and sense of professional responsibility of practitioners. One might even go so far as to posit that some could choose to go the Anonymous route as a way to take matters into their own hands.
Address : <https://threatpost.com/en_us/blogs/opinion-are-anonymous-members-forged-crucible-it-compliance-080611>

Indeed the whole "Shady Rat" fiasco reeks of companies relying on under-qualified, incompetent and uneducated security professionals, policies, oversight and management. There is no "but..." - it is what it is: "under-qualified, incompetent, uneducated" *people* - not technology - that are to blame. However, as Sophocles once said "What people believe prevails over the truth."
Address : <https://www.infosecisland.com/blogview/15658-That-Shady-Rat-Was-Only-a-Security-Peer.html>

For so long, information security in business has been more about ass-kissing then doing the right things, that now we define success as - 'we will fail, but thats ok becuase now we will try to fix it quickly'. Great, although I am glad that the car industry is not allowed to work the same way. And then we wonder why corporate IS staff get frustrated? we wonder why incompetent people are allowed to carry on and even get promoted. I understand there are many and varied reasons and multiple justifications for this state of affairs, but the simple fact of the matter is that we live in the world we have created, what we have now is what we have allowed. The fact that success now is defined as failure with quick recovery is what we have allowed.

There is not too much else to say, except that I hope we enjoy watching the poultry coming home because it is not stopping any time soon.