DISQUS

danielmiessler.com | grep understanding: Information Security: The End Of The Wild West

  • Brent Hagany · 3 years ago
    I enjoyed the article, but man, close that emph tag.
  • Daniel · 3 years ago
    Yeah, that thing was killing me. I finally got it fixed. :)
  • brad · 3 years ago
    definately a good post.
  • stacksmasher · 3 years ago
    Im in my 30's and I will have a job till the day I die, the things that are wrong did not happen overnight so they are going to take allot longer to fix. Security experts will NEVER be out of work. People who steal from others will always exist , lucky for me they now use a computer instead of a gun.
  • Nolan · 3 years ago
    I agree, the technology will mature. Humanity, however, will remain the same.
  • Richard Bejtlich · 3 years ago
    If security were measured by deploying a single service and keeping it compromise-free for 2 years, we're already there. Plenty of Unix services (and even operating systems) can survive/have survived for a lot longer without compromise.

    The problem is:

    1. The threat is always growing in number, becoming smarter, and more creative.

    2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.

    3. Vulnerabilities are growing with complexity, lines of code, and feature sets.

    I agree that those "with average skills and little interest in the field" will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.
  • Daniel · 3 years ago
    True, but the implication in my comment wasn't in the systems *not* being vulnerable necessarily (that will take FAR longer), it was that the vulnerabilities would simply become more and more difficult to exploit.

    In other words, I'm not arguing that there will soon be a lack of problems; I'm arguing that soon (10 years?) the defenses will be mature enough to prohibit all but the most advanced, custom attacks -- which I agree, will always find a way. Once the new protection technologies arrive, the primary obstacles to security will be slow adoption of said systems, configuration errors, insider attacks, and social engineering.

    Anyway, I am still thinking this through. I'm not completely convinced of my own argument because I seem to have a fundamental flaw in my reasoning -- one that fails to take into account certain critical elements that I can't quite isolate.

    For example, if one were to have asked me 50 years ago whether or not there would still be cracks in newly laid sidewalks I would have bet against it. Surely the new cement would last 100 years or so, right? Wrong. Or if I could have bet 100 years ago on whether or not the United States would be highly religious in 2006, I would have bet against that. In fact, I would have bet on us becoming increasingly secular.

    In both cases I'm failing to take into account some major variables, and I can't help but wonder if I could be making the same mistake with this idea. Namely, failing to take into account the *exceedingly* gradual pace at which progress is made. I feel technology (and market-driven demand for dependable systems) allow this boundary to be crossed, but I am not sure of it.

    Anyway, I think that your three points were valid only based on us still using our current, inferior technologies. If you have weaknesses in something, and you reproduce it on a mass scale then you're obviously going to have continued widespread problems.

    I think the key is having all these new systems and technologies rolled out using more secure and stable IDEs, programming languages, platforms, etc. Notice none of that involved human developers doing anything better. They can continue to produce thrown-together garbage, but with increasingly fewer ramifications.

    So the real question, in my mind, becomes: "What can stop this from materializing?"

    I guess the only answer is the idea I put in my post -- the notion that technology is still in its infancy as well, and its growth rate is going to be so fast (and so haphazard) that nobody will take the time to implement any of these superior security technologies.

    Thoughts?
  • Rob · 3 years ago
    Why not go the whole distance Daniel? Why settle for HIPS and NAC/NAP? These will always be REACTIVE technologies.

    What is more, they are in the vein of network security which has a fundamental failing; they protect the containers, not the contents of those containers, (that is,the data), on the network.

    That is the fundamental difference between network security and information-centric security. Why can't security people get it through their heads that denying access to the network is not the same thing as allowing access to information?

    The best way to do this is a la Ranum, with deny-by-default and enumerating goodness by using white lists etc..

    So as an entension of your thoughts, it seems to me that not only is infosec doing the wrong thing, they are also doing it the wrong way as well!
  • Daniel · 3 years ago
    Rob,

    I'm not against using a more restrictive, default-deny technology such as Trustifier; my point is that as these systems start to get deployed on a large scale, the balance is going to shift greatly in favor of security.

    I wasn't arguing that "this is all we need". I was just saying that as security gets built into more and more deployed technologies, things will change.