A philosophical/existential approach to information security

Standard

How do you sleep at night?

is what I often hear when people ask me about how complex things have become with cyber-security. Indeed, things have become more complicated; yet we can’t just not use computers because staying safe is more complicated.

So I though I’d document a few ideas I have had about this that may be helpful:

1. Don’t ever be fooled to think you are in control. I have long believed that there is a lot that goes on on networks that people do not know is going on. The reality: there is no practical way to control everything.
2. Awareness and education is half the battle. The more your users are informed about risks and how to react to a situation, the easier things will be.
3. Be a quick follower not on the bleeding edge. Being on the bleeding edge is expensive and gives a false sense of security (I have the “best tools” tuned to the “latest attacks” – so what!? There’s about a million new ones about to hit you). Conversely, not keeping up with the basics is the equivalent of leaving your home’s front door open with a neon sign letting people know when you are out. Just stay on top of patches, basic safety measures/controls.
4. Understand your “attractiveness”. Why would someone else be interested in your information/computers/network? Can they make money, get bragging rights, use your infrastructure as a relay to have bad deeds attributed to you? Whatever it is, be aware of it and act accordingly: if something is of low value, don’t try to protect it with national defense grade controls.
5. Don’t put too much value in perimeters, but rather focus on partitions/zones. I was never able to find the source of the following statement about firewalls (which incidentally explains how I feel about perimeter based approaches):

firewalls make your infrastructure crunchy on the outside and chewy on the inside.

Instead focus on zones/partitions and require that “participants” (humans or machines) be able to prove their credentials at any/all times.

Open for comments…

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.