BreachExchange mailing list archives
Article: An Inconvenient Lack of Truth
From: lyger <lyger () attrition org>
Date: Fri, 4 Apr 2008 22:27:48 +0000 (UTC)
http://www.darkreading.com/document.asp?doc_id=150276&WT.svl=column2_1 When I graduated the University of Colorado with a history degree, I was fairly certain it would only be marginally more useful to my security career than my unofficial minor in molecular biology. Sure, I'd get to mix in analogies about the Maginot line and antibodies, but you can't swing a dead PowerPoint without hitting those two. As with many things in life, I was wrong. When I began my career in information security, I never imagined we would end up in a world where we have as much need for historians and investigative journalists as we do technical professionals. It's a world where the good guys refuse to share either their successes or failures unless compelled by law. It's a world where we have plenty of information on tools and technologies, but no context in which to make informed risk decisions on how to use them. [.] While we have no shortage of breaches, we face a dearth of good information. I've spent countless hours combing through every piece of public information on breaches, both major and minor, to determine consistencies, root causes, and effective defensive techniques. I've learned how we learned exactly the wrong lesson from the breach at Egghead.com. I've learned how the failures at ChoicePoint were a business decision (that the CEO lied about on record), not a technology failure. I've learned how all the statistics we use are wrong, and are desperately manipulated by the vendor community to sell us products we sometimes need, and often don't. My research leads to some conclusions that may be unsurprising, but often ignored: [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Article: An Inconvenient Lack of Truth lyger (Apr 04)