Because if you don't, who will?
In an interview with Marcus Ranum, CSO online asked him what he sees as the weakest link in the network security chain. He said “Not knowing what’s on your network is going to continue to be the biggest problem for most security practitioners.”
All I have to say to that is, “Duh”.
As a species we are hard wired to do threat assessment in our day to day lives. We do many forms of threat assessment without recognizing it as such. You do it when you are changing lanes, or commenting on your wife’s outfit or even when you take that first sip of hot coffee. How dangerous is this thing I am about to do?
There is something that we need to be good at threat assessment. I am going to call it Danger Awareness. If you are not aware of some impending danger then you will have no way to correctly assess your threat level. One example of not having danger awareness is when you are in a car and you don’t check your blind spot before merging or changing lanes. I am going to refer to it this way when I discuss danger awareness on the Internet. When you change lanes and a car is in your blind spot it can end very badly, the same is true when you use the Internet without being aware of what is waiting for you.
To really be able to do a true threat assessment you must be aware of all of the dangers (or as many as humanly possible as there are more than enough to keep us all busy for many life times) and then build a plan to help you avoid the dangers that you are aware of and even some you may not be.
I was invited to be a guest at the University of Colorado to teach a networking class about Network Security. It was interesting to see how diverse the class was. You had the different groups you expect to find in a normal college classroom. The people there to learn, the people who think they already know everything you are talking about, and the people that are just trying to get a credit. There was also someone’s wife who was just hanging out with her husband.
There is a lot to cover under the umbrella of Network Security so I had to slim down what I went over. I went over vulnerability assessment, intrusion detection, social engineering, network access control, 802.1x and then gave some war stories.
I think that the next time I teach a class I will just build out one large scenario and then go over the security you would need to protect each section. I think it would be easier for the students to see how it all comes together to form a secure network environment.
I am not going to discuss politics in this forum but this is the first time in my life time that I have had hope for our nation.
The failing economy has obviously effected every market to a certain extent. The security market (which is the one I am in so it is the one I care most about) has been hit pretty hard. I did not believe that people could do without security but I was wrong. This comes down to lack of legislation forcing people to take responsibility for data breaches.
An interesting article over at Network World is a letter to the next President asking him to take a stand. The author makes a great statement about how there will be no change until there are real negative consequences for not being secure. CTO’s and CISO’s will continue to do the bare minimum until there is a reason for them to change their ways.
Powered by WordPress
