lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4146F464.6070201@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Where is security industry gng??

Geoff Shively wrote:

>Think about it this way, security was once focused on simple solutions
>to solve problems (network architecture with security in mind, device/OS
>hardening, etc). 
>
>Let us recap the history of the industry so that I can set the stage for
>where I think it is headed.
>
>In the last 5-7 years the security problem has grown complex and sheer
>number of threats have skyrocketed, which brought to life an industry of
>complex solutions to a combat a complex problem. IMHO, the wrong way to
>deal with the problem.
>
>  
>

Well, I'm not going to decry IDS -- IDS can be a very useful portion of 
a network security plan.

The problem with IDS was always that people perceived IDS as being a 
magic box that automatically and exclusively detects intrusions.  Anyone 
who's ever worked with an IDS knows that that couldn't be further from 
the truth.  However, that does not invalidate the data from the IDS.  A 
properly tuned IDS can be very useful.

Having said that, you're entirely right.  There needs to be a renewed 
focus on host-based security and hardening. 

I liken it to this physical analogy (don't you love them? :) ):

       Let's say that you have a stove that is necessary for business 
and on some types of this model of stove, there's a bad part that 
continually causes the thing to burst into flames and burn your business 
to the ground.  A solution is needed, right?  Well, there's two 
solutions: fix the part or build a high-tech fire suppressing system.  
Prediction: most businesses will go with the fire suppression system. 

To people like us, the answer is obvious: fix the bloody part and the 
fires will stop occurring! 

But to people who don't know any better or who have a vested interest in 
the use of that part, the fire suppression system is new, high-tech, 
brag-worthy, and solves the problem to their satisfaction.  It doesn't 
matter that it's not the right answer.  It doesn't matter that it 
doesn't actually solve the problem.  It's shiny and highly visible.

We could probably advocate the right solution until the end of the day, 
but the sad fact of the matter is that it probably wouldn't matter in 
the end.

So, where is the security industry going?  Well, who wants to buy a fire 
suppression system? :)

             -Barry

p.s.  Another physical anaology: browsing the web with IE is like doing 
a brothel tour of amsterdam without a condom.  I love using that one.  :)




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ