Full Disclosure mailing list archives
Re: Where is security industry gng??
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Tue, 14 Sep 2004 09:38:44 -0400
Geoff Shively wrote:
Think about it this way, security was once focused on simple solutions to solve problems (network architecture with security in mind, device/OShardening, etc).Let us recap the history of the industry so that I can set the stage for where I think it is headed. In the last 5-7 years the security problem has grown complex and sheer number of threats have skyrocketed, which brought to life an industry of complex solutions to a combat a complex problem. IMHO, the wrong way to deal with the problem.
Well, I'm not going to decry IDS -- IDS can be a very useful portion of a network security plan.
The problem with IDS was always that people perceived IDS as being a magic box that automatically and exclusively detects intrusions. Anyone who's ever worked with an IDS knows that that couldn't be further from the truth. However, that does not invalidate the data from the IDS. A properly tuned IDS can be very useful.
Having said that, you're entirely right. There needs to be a renewed focus on host-based security and hardening.
I liken it to this physical analogy (don't you love them? :) ):Let's say that you have a stove that is necessary for business and on some types of this model of stove, there's a bad part that continually causes the thing to burst into flames and burn your business to the ground. A solution is needed, right? Well, there's two solutions: fix the part or build a high-tech fire suppressing system. Prediction: most businesses will go with the fire suppression system. To people like us, the answer is obvious: fix the bloody part and the fires will stop occurring! But to people who don't know any better or who have a vested interest in the use of that part, the fire suppression system is new, high-tech, brag-worthy, and solves the problem to their satisfaction. It doesn't matter that it's not the right answer. It doesn't matter that it doesn't actually solve the problem. It's shiny and highly visible.
We could probably advocate the right solution until the end of the day, but the sad fact of the matter is that it probably wouldn't matter in the end.
So, where is the security industry going? Well, who wants to buy a fire suppression system? :)
-Barry
p.s. Another physical anaology: browsing the web with IE is like doing
a brothel tour of amsterdam without a condom. I love using that one. :)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Where is security industry gng??, (continued)
- Re: Where is security industry gng?? Adam (Sep 13)
- Re: Where is security industry gng?? Nick FitzGerald (Sep 13)
- Re: Where is security industry gng?? Adam (Sep 13)
- Re: Where is security industry gng?? Jan Muenther (Sep 13)
- Re: Where is security industry gng?? Barry Fitzgerald (Sep 13)
- Re: Where is security industry gng?? Ron DuFresne (Sep 13)
- Re: Where is security industry gng?? Barry Fitzgerald (Sep 13)
- Re: Where is security industry gng?? Nancy Kramer (Sep 13)
- Re: Where is security industry gng?? Gregh (Sep 13)
- Fwd: Where is security industry gng?? jamie fisher (Sep 13)
- RE: Where is security industry gng?? Todd Towles (Sep 13)
- RE: Where is security industry gng?? Geoff Shively (Sep 13)
- Re: Where is security industry gng?? Barry Fitzgerald (Sep 14)
- Re: Where is security industry gng?? Frank Knobbe (Sep 14)
- RE: Where is security industry gng?? Ron DuFresne (Sep 14)
- Re: Where is security industry gng?? Barry Fitzgerald (Sep 14)