Title: [Article]-The Broken: Assessing Corporate Security in 2012 to Make a Better 2013
Post by: don on December 19, 2012, 09:07:24 PM
Agree, disagree, don't care... that's the great thing about opinions. Here's an opinion piece by an industry veteran pondering what 2012 meant and what can be done in 2013. Read and join in the conversation.
Permalink: [Article]-The Broken: Assessing Corporate Security in 2012 to Make a Better 2013 (http://www.ethicalhacker.net/content/view/455/2/)
by Paul Jaramillo, CISSP, EnCE
So as we are about to close out 2012, many of us in the IT Security community look around and try to assess where we were, what we have accomplished this year, and what is next. I’ve been working in IT since the late 90s with a focus on security for much of that time. Most of my work has been in large private-sector companies with a brief but very rewarding stint working for the government. To me while much has changed, many of the core issues remain today as they were back then. Our security condition has actually worsened in many cases. While that is up for debate, no one can argue the pace, sophistication, and impact of major cyber events related to nation-sponsored, organized crime. Hacktivism threats have increased exponentially in the last 4-5 years as well. This new normal has been applicable to the government and defense industrial base for a long time but really surfaced in the private sector around 2007. You would assume that with all that increased attention, dollars and executive support at the highest levels, it would be making things happen. To a certain extent they are, but we as an industry are still losing in the never-ending cat and mouse game with our adversaries. Why?
Over the years, I have sat through countless “you’re doing it wrong” or “we’re screwed’ type of presentations. Some of them were very informative, and I absolutely respect anyone that publicly voices their opinions and ideas, knowing they will be criticized and nitpicked for things taken out of context. However, I often leaving conferences with a desire for a way to fix what we all know has been broken. So what is stopping us? That is where I would like to focus some energy. What are the key road blocks and stumbling points that are keeping the security industry from truly raising the bar as opposed to being stuck in a continual state of catch up?
The ideas that follow are not all my own, and I’m sure I have subconsciously absorbed them or unknowingly added them to my mantra. I have a set of wise men that I learn from constantly, however I won’t list them out or directly associate them to this article out of respect. These ideas shouldn’t be taken as a statement of fact either, as they are only my humble opinions. My goal is to start a real discussion and starting point for documenting and overcoming our greatest challenges to our broken system.
Let the debate begin,
Title: Re: [Article]-The Broken: Assessing Corporate Security in 2012 to Make a Better 2013
Post by: 3xban on December 25, 2012, 11:46:25 AM
Excellent Article Paul...
Obstacle 1: agree and will add this can also benefit the person if they may have done the opposite before leaving a company. Force resignation and all. But certainly tracking the bad apples would be beneficial and hold them accountable for their decisions. I believe a bonus should be earned if you not only help make the company money but also help prevent the loss of said money.
Obstacle 2: I am finding this to be a reality. I find it more trying to defend against advanced attacks when you can't even implement security 101. Thankfully though where I am the audits are taken pretty seriously and are usually addressed within the first few months after. But that may be only because the current auditors are not as well trained. I am finding auditors are becoming much more technically savvy and are looking for things they never did in the past. I've seen a few IT folks move over to audit mainly because you no longer need to fix the problems but you can just report them. Maybe they are sick of trying to fix them only to be told it costs too much blah blah blah. It certainly is easier to click a check box, specially if you know where to look.
Obstacle 3: Agree as well, but how do we do this? Do we sacrifice skills training for business classes? Do we take one of the SANS MGT courses over a SEC or FOR course? Do we go for an MBA or a MIA? Or do we look at day long workshops to help gain a better focus? I personally don't want to leave the trenches anytime soon, but I find I am being asked to do so although I am not a manager nor care to be. Then again, do I have the aptitude to stay in the trenches? I think so, I just started in InfoSec (well in concentrating on it), and I have no desire to put down the keyboard just yet.
Obstacle 3: so long as the staff is up to par and keeps improving their skill sets. I think heavy reliance on outsourcing your support causes this competitive advantage to decline. I am currently seeing the situation where ALL of your IT knowledge is in the hands of the outsourced company and almost known exists with your FT IT staff. I think it is important to keep the skills up on both sides so you essentially have FTEs with the knowledge to do the job, but they send the work to the out-sourced staff to carry out. They then can focus their time on developing new and better solutions for the company, they may even develop a new product or service from this.
Obstacle 4: Partially agree on this one. This forum clearly shows there is a large number of new people wanting to be "hackers" or pen testers, but seem to lack the base skills and understanding about the systems they want to hack. I partially agree because I think both the technical and business skills are needed equally. The DoD description of what they need does not reflect their target. They want highly trained people fresh out of college? We all know that typical MIS/CS majors graduate with information that is probably 5 yrs out-of-date. Unless of course they were gaining some real world experience during school, but even those entry level security jobs require experience. Essentially you want to groom people for these jobs. Moving those with a strong base knowledge about technology into a security focused job then giving them incentives to build the business skills for that key person we need in that board room. Again how do you do that with someone who wants to stay in the trenches or has no desire to be in that board room mainly because they think nothing will get done either way?
Obstacle 5: Agree with this, my drive is not being bored. I think anyone with a legitimate love for what they do, do it for that simple fact. I think having a love for all things InfoSec related is no different. We enjoy a challenge, that is a real challenge. I think in most enterprises the challenge isn't developing the solution, it is dealing with the red tape around getting it approved. We also love seeing something we created get implemented successfully. But if we are tasked to come up with a solution to something and then not see it implemented or implemented poorly, we are left with a bitter taste in our mouth.
As you had mentioned before there have been a lot of great talks at the security cons about what is wrong with the industry. In most cases those speakers are preaching to the choir. There are probably many of us that do know how to speak the business to the C-Levels, but are they truly listening? Do they even care? Have they ever seen something like the anatomy of a virus? Seeing something so small destroy a company because a single simple patch was not installed or proper network ACLs were not in place to prevent the spread of a worm? I like the point about the Security managers need to be able to tell someone above them - "No we cannot do that and here's why..." If they are worth their salt, they shouldn't need to worry about finding another job if they are fired for disagreeing. Which brings us back to the first obstacle, sure I was asked to resign but here is why and hand over the sign documents.