As Bruce Schneier goes on the subject of quarantining potential threats away from regular users of the Internet, I think it's interesting to point a big difference between IT diseases and human diseases: we have the code. We have the specifications for the computer.
For closed source, the software maker has the code, which means that diseases or weaknesses can be fixed with more efficiency than any human condition.
For opensource, it's even better: everyone has the code, which means that everyone can look for a solution to a problem.
That's not to say that every Internet user is a qualified-IT-physician, it's just to underline that comparing IT and healthcare may not be so promising. Compared to medicine, IT professionals can fix a problem in no time and no money. Although there are problems of copyright in IT, it's nothing compared to those in pharmaceutical industry. The whole plan of the human body and interactions is still to draw. And we can spoil many computers, hours of computing, lines of code, reboots, for research without an ethical problem.
Thursday, November 25, 2010
Wednesday, November 10, 2010
Please NO MORE Top 10 Security Measures!
I have a habit to collect web articles about security measures to apply for specific security situations. Those articles usually have a title like "Top 10 security measures for the administration of XYZ" or "Top 20 vulnerabilities in XYZ servers". And I now have a feeling that it's a bad thing to present a security approach that way.
Let's take a few examples:
That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.
What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.
Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:
That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.
Let's take a few examples:
- Top 20 OpenSSH Server Best Security Practices
- 5 Things That Will Mess Up Your Backups -- and How to Avoid Them
- Slideshow: The 10 Most Common Database Vulnerabilities
- OWASP Top 10 for 2010
- The 10 dumbest mistakes network managers make
That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.
What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.
Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:
- an easy access to htpasswd file,
- obvious passwords that John the Ripper guessed in no time and
- cleartext credentials to access the database.
That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.
Tuesday, November 2, 2010
Monthly ITsec Leadership Quotes and Articles: October 2010
A little late (in love, keeps one busy!)
- Incident or Event Management: Keep it simple but real!, on the IT Security and Compliance Thought Leadership blog.
- 25 Sure-fire Ways To Motivate Your Team Members, excellent reminder of the basics for team motivation and good atmosphere.
- Security: Competence Never Compensates for Insecurity, aka Attributes of Leadership #17 on Joyce Schneider's blog.
- [FR] A good security policy reflects the life of the company, by NetASQ's product director Jeremy d’Hoinne, addressing the future of firewalls, that is, something else, not firewalls. Traffic inspection, all-in-one appliances... Nothing new but I'm glad to hear that from NetASQ.
- Transparency, accountability, and IT success (Michael Krigsman).
- Help! No One Is Following Our Processes! on The Hitch Hiker's Guide to the ITIL Galaxy and Beyond.
- How to Crush Dissent, on Rob Weir's blog.
- Microsoft is a dying consumer brand, on CNNMoney.com, which is my feeling as, in very little time, Microsoft added up Vista, Zune, unwanted DRMs, Office 2007's frightening GUI, and missed the turn to smartphones and web applications...
- "Companies up and down supply chains in numerous industries confront the same challenge: A well-intentioned individual action or demand aimed at making a business greener can create a long string of unanticipated consequences that collectively dwarf the benefits.", by Hau L. Lee in HBR, October. You could switch greener for any of: more secure, thinner, cheaper, more customer-friendly...
- "Listen, don't broadcast", as a hint for a company's social media strategy, by Larry Kramer, same source
- "One CEO I know fines people $1 for every e-mail he gets that he didn't need to see.", Rita Gunther McGrath, in HBR Onpoint, Fall 2010.
- "If you think your people won't understand something, remember it's your job to explain it to them.", Stever Robbins, same source.
- "[...] if things aren't going well, the teams are probably well aware of the problems. In fact, they've probably known about them longer than you have.", same author, same source.
- "Most organizations penalize employees for the wrong outcome, even if they follow the right process. Perversely, others are rewarded for the right outcome, even when they flout the rules about process.", same author, same source.
- "[...] the value of clear, honest, explicit communication rises exponentially with the size of the organization.", John Hamm, same source.
- The whole article The Leadership Lessons of Mount Everest, same source, which I can't quote without reprinting it entirely. (Reprint R0109B)
Security ROFL 2
- A gang of thieves armed with a powerful vacuum cleaner that sucks cash from supermarket safes has struck for the 15th time in France.
- Remote Printing to an E-Mail Address, Bruce Schneier notices that it's an opportunity for spammers :-D
- xkcd cartoon: Exploits of a Mom
- Pirated Software Could Bring Down Predator Drones, which were so funny it weren't so pathetic.
- Finally, let's not forget a lolcat: Iz ok.. we’re Veeganz.
Firesheep and forcing SSL
All that Firesheep buzz lead me to discover that a Firefox extension wraps your web traffic into SSL if the remote site supports it. Very simple, neat, idea. (Thanks to NetworkWorld and thanks you Jicé for first noticing.)
Subscribe to:
Posts (Atom)
Posts
