[tags]security failures, infosecurity statistics, cybercrime, best practices[/tags] Back in May, I commented here on a blog posting about the failings of current information security practices. Well, after several months, the author, Noam Eppel, has written a comprehensive and thoughtful response based on all the feedback and comments he received to that first article. That response is a bit long, but worth reading. Basically, Noam's essays capture some of what I (and others) have been saying for a while -- many people are in denial about how bad things are, in part because they may not really be seeing the “big picture.” I talk with hundreds of people in government, academic, and industry around the world every few months, and the picture that emerges is as bad -- or worse -- than Noam has outlined. Underneath it all, people seem to believe that putting up barriers and patches on fundamentally bad designs will lead to secure systems. It has been shown again and again (and not only in IT) that this is mistaken. It requires rigorous design and testing, careful constraints on features and operation, and planned segregation and limitation of services to get close to secure operation. You can't depend on best practices and people doing the right thing all the time. You can't stay ahead of the bad guys by deploying patches to yesterday's problems. Unfortunately, managers don't want to make the hard decisions and pay the costs necessary to really get secure operations, and it is in the interests of almost all the vendors to encourage them down the path of third-party patching. I may expand on some of those issues in later blog postings, depending on how worked up I get, and how the arthritis/RSI in my hands is doing (which is why I don't write much for journals & magazines, either). In the meantime, go take a look at Noam's response piece. And if you're in the US, have a happy Thanksgiving.

[posted with ecto]