I have looked for a good example for a real-world security practice that is
misconceived and that also applies to information security. Recently I have
had a chance to read an opinion article that talks about physical security
measures that are put in to protect small populations (read army bases, gated
communities, etc…) and how many of the “traditional” security thinking
is actually hurting them.
The example that was cited, talked specifically about building fences around
such facilities, and their actual and perceived effect.
The real effect of such a “security” fence is very low. These fences can
be easily bypassed with very basic skills and tools.
However, the perceived effect of such fences is incredible. On one hand, the
protected population sees that there is a fence that goes around the entire
perimeter, and immediately think “cool! we are well protected”. They... (more)
This paper has been published in several security conferences during 2011,
and is now being made fully available (as well as a PDF version for
Penetration testing and red-team exercises have been running for years using
the same methodology and techniques. Nevertheless, modern attacks do not
conform to what the industry has been preparing for, and do not utilize the
same tools and techniques employed by such tests. This paper discusses the
different ways that attacks should be emulated, and focuses mainly on data
The ability to “break into” a... (more)
Here’s a common question I get asked a lot: “What technology should I use
to secure my server/network/[some technology]?”
The question is usually presented by someone who’s in charge of
“Security” in an organization. Now, I wouldn’t have had a problem with
this if this was a technician, or a pen-tester of sorts, but I get really
nervous when the CISO/CIO/Security manager is the one asking.
I think that this question is highly inappropriate for two reasons:
You should not be looking for “technology”. Buying a product is not going
to make you more secure or less secure. You should n... (more)
Aha! Can’t believe I managed to avoid the unbelievable hype flood that
swept across the interwebs in the last month. And to think that the last post
(long overdue, I know… had REALLY good reasons for not being able to post
anything) was somewhat oracleish in predicting that this would be the focus
of this year.
Just to set the stage right – we are at a point where I just saw a USA
Today “Money” section front page article on how Google’s engagement
with the NSA post the breach will affect the security vendor market, and a
few VCs were also quoted to the fact that we will be seein... (more)
This is going to be painful, so hold on.
Instead of mumbling short tweets about things I think that suck, I decided to
keep everything in and just formulate a post on it.
This post is a rant. It’s a complicated rant by an “old” guy (my excuse
for cynicism) in the industry who’s had a chance to see a lot going.
Disclaimer: I’m going to give some examples here, real life examples from
my own experience in the security industry. Some are from my consulting days,
some from the vendor days, some from freelance and other gig days. If you
think you are someone who I’m describing here ... (more)