Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki

["Jim O'Gorman" <jim () elwood net>]

On Wed, Mar 23, 2011 at 12:17 PM, Michal Zalewski <lcamtuf () coredump cx>wrote:
> The real tragedy of infosec is that we simply don't have the tools to
> secure large and complex organizations particularly well - not against
> governments, but against bored kids with an agenda. Security vendors
> are partly to blame for perpetuating a myth that a secure organization
> can be built on top of the commercial AV or IDS tools that said
> vendors happen offer. It does not come as a surprise that this model
> does not work well, and "the world of cyber" has very little to do
> with it.


> From my POV, much of this has to do with most models of infosec rely on the
concept of "you don't have to run faster then the bear, you just have to run
faster then the guy next to you". That model may work
against opportunistic criminals that are looking for a good ROI and have no
interest in targeting a specific target, but rather is more focused on
obtaining assets with no concern where those assets come from.

But what do you do when the bear decides you are the pretty one?

Very few programs are built to sustain a targeted attack by any adversary.
And the more determined and funded that adversary is, the worse for the
defender. This might be a kid at home, or a state sponsored "cyber solider".
Does not really matter. Could unemployment checks to a disgruntled former
employee be considered funding?

It seems like the a lot of more modern defensive models are more similar to
retail's loss management programs then anything else. Yeah you will get
shoplifting, but lets just try to make it the stuff that is not that big of
deal. Make the important products better protected, and budget for the
shrink that is sure to happen.

Jim

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave