At the SecTor show this year I was treated to a variety of presentation from the security field, and in all forms; physical, virtual, logical, and philosophical. Yes, philosophical, and this was by far the presentation with the most impact for me.
Don't get me wrong, there were a ton of great presentations at the show, but it is very rare that a presenter can make me sit back and really rethink how I approach something, and in this case, something very near and dear to me, information and network security.
The presentation was from myrcurial and it was the session Security Heretic: We're Doing It Wrong that really got me thinking. He challenged me, I (tried to) challenge back, but in the end was left with two feelings. Some of my past personal reactions and choices to security designs and deployments were vindicated. And some were vilified. After it all, I was forced to accept that I am the worse of what the presenter was pointing out; I knew the right course of action, but at times had chosen not to follow it.
In fairness to myself, allot of the times I did not have a choice. We all have jobs to do, and bosses to please, and sometimes the path of least resistance gets us home to our families the quickest.
What really got me was the security test. As a security professional, take a look at the picture below, it is a typical desktop at a typical company worried about security, and see if you can tell me what the security risk to a company is here.
If you say its the iPod, and our users are running around with iSlurp, stealing all the corporate crown jewels in a crazed attempt to destroy the company that employs them, then congratulations. You too could work in the security industry and stay very busy. That was my response as well. I could even go into great detail about how we can address that particular risk.
But I had missed the point of the picture. It's an iPod, connected to a laptop. A LAPTOP! Let's all be realistic here, if they wanted to take corporate secrets out, they would just take the laptop home. I made a kneejerk reaction to a specific issue and instantly wanted to apply technology to it.
Don't get me wrong, I am not discounting the technology or the need to do things like block and monitor computer ports, be it firewire, usb or bluetooth. What I need to do is make sure it's applied with an appropriate amount of force and in the appropriate place. I need to stop using a sledgehammer to open a bottle, all that does is smash the container, loosing most of the contents.
And that was another really great point of the presentation that hit home, what is any good companies truly great and valuable asset? What are these corporate jewels we need to protect?
It's the employee's, that user base your about to punish and lock up like lost, mindless children, incapable of using the tools with any responsibility. It's like giving them a job that involves cutting, but then taking away all the knives. It's like we forget why we hired them in the first place, and then we forget they are people with lives that are always going to be intertwined with work. And is that such a bad thing? So much of what we do, defines what we are and if someone wants to take their work home, or bring their home to work, in the end, are you not getting more back into the company? More ideas, more time, more commitment? Our goal as security professionals is to help them do it safely, not punish them for trying.
And this is why I have become a security heretic.
Don't get me wrong, there were a ton of great presentations at the show, but it is very rare that a presenter can make me sit back and really rethink how I approach something, and in this case, something very near and dear to me, information and network security.
The presentation was from myrcurial and it was the session Security Heretic: We're Doing It Wrong that really got me thinking. He challenged me, I (tried to) challenge back, but in the end was left with two feelings. Some of my past personal reactions and choices to security designs and deployments were vindicated. And some were vilified. After it all, I was forced to accept that I am the worse of what the presenter was pointing out; I knew the right course of action, but at times had chosen not to follow it.
In fairness to myself, allot of the times I did not have a choice. We all have jobs to do, and bosses to please, and sometimes the path of least resistance gets us home to our families the quickest.
What really got me was the security test. As a security professional, take a look at the picture below, it is a typical desktop at a typical company worried about security, and see if you can tell me what the security risk to a company is here.
If you say its the iPod, and our users are running around with iSlurp, stealing all the corporate crown jewels in a crazed attempt to destroy the company that employs them, then congratulations. You too could work in the security industry and stay very busy. That was my response as well. I could even go into great detail about how we can address that particular risk.
But I had missed the point of the picture. It's an iPod, connected to a laptop. A LAPTOP! Let's all be realistic here, if they wanted to take corporate secrets out, they would just take the laptop home. I made a kneejerk reaction to a specific issue and instantly wanted to apply technology to it.
Don't get me wrong, I am not discounting the technology or the need to do things like block and monitor computer ports, be it firewire, usb or bluetooth. What I need to do is make sure it's applied with an appropriate amount of force and in the appropriate place. I need to stop using a sledgehammer to open a bottle, all that does is smash the container, loosing most of the contents.
And that was another really great point of the presentation that hit home, what is any good companies truly great and valuable asset? What are these corporate jewels we need to protect?
It's the employee's, that user base your about to punish and lock up like lost, mindless children, incapable of using the tools with any responsibility. It's like giving them a job that involves cutting, but then taking away all the knives. It's like we forget why we hired them in the first place, and then we forget they are people with lives that are always going to be intertwined with work. And is that such a bad thing? So much of what we do, defines what we are and if someone wants to take their work home, or bring their home to work, in the end, are you not getting more back into the company? More ideas, more time, more commitment? Our goal as security professionals is to help them do it safely, not punish them for trying.
And this is why I have become a security heretic.
0 comments:
Post a Comment