- Aftermarket products are sold to try and fix insecure operating systems and applications. They don't work all that well because the signature detection/prevention paradigm can be defeated by simple obfuscation or a custom developed exploit. It's sort of like trying to retrofit an airbag to a car with a button to press in case of an accident rather than designing a strong safety cell and crumple zones. If we were doing security well at the operating system, we wouldn't need firewall technology at all. If we did security well at the application level, no need for antivirus !
- we're not attracting the best and brightest to work securing organisations. The kids seem to want to learn to break rather than learn to build. Maybe we need "drag-strips" or hackerspaces for the fast and the furious who want to play.
- We're not so good about understanding and marketing to our target markets and putting together solutions that work. Why one ISO standard for everybody? Why not separate ISO standards aligned with the risk profiles of SOHO, SMEs, state government, banks, federal government and military
3 comments:
Hi Matthew, I think you have hit the nail right on the head. Our approach to IT has been providing a solution for business and consumers without factoring in security.
Even on those occasions where security is considered, management might consider it a extra overhead and therefore should be dropped as part of the project in order to save costs.
Could you imagine if Microsoft says we will rebuild the windows architecture such that it neutralises computer viruses?
I don't see that happening.
From the perspective of someone thats been trying to scrape his way into the industry for some years now what I've noticed is that its very much like trying to obtain credit for the very first time.
You can't get credit unless you have credit. In all of my dealings with the community it seems that they just wont 'let me in' until I achieve some sort of status - which defeats the purpose entirely.
I think part of what your describing - not enough interested parties are trying to get in - is because the folks at the perimeter won't let them in.
I can speak to that from personal experience.
If we look at this in terms of root cause analysis the obvious answer is that the Internet is built on shaky foundations never intended for the widespread use we're seeing today.
Vendors hocking their wares is nothing more than treating the symptoms.
If we focus on aligning security with business direction and strategy, security happens far, far more seemlessly and things just WORK.
I strongly recommend you look into 'Geekonomics' as well.
Post a Comment