Unreasonable Security Practices That Will Soon Be Even More Irrelevant
Jan 12, 2010, 21:02 (2 Talkback[s])
(Other stories by Sonny Discini)
"Last month I listed things security practitioners are doing
that are unreasonable. Then I went through some things that are
reasonable. In reading the many comments I received, I realized the
message still isn't getting through to some. In the spirit of
understanding and moving ahead in the new era of security, let's
talk about some additional things that are not reasonable, as well
as where we are headed as security practitioners.
"Layered defense is not reasonable.
"Go to any security site and you will read paper after paper
about layered defense and how it's a great approach. I agree with
the theory in the academic sense. It's harder to break into a vault
that has four locks rather than one. But in reality, what if those
four locks are made out of paper?
"This is exactly how classic layed defense works unreasonable
thing were doing in the enterprise using classic layered defense.
How? First of all, we're telling leadership that we have "layered
defense" in place. Well that sounds really nice until we look at
exactly what we're doing. Let's start with patch management, a
process proven over the years to be next to impossible. Go into
*any* large organization, and I assure you not all hosts are
current on OS and application patches, such as those from Adobe.
Most likely, more than 40 percent are behind even with the most
expensive tools and the most diligent of patching practices. How
can you patch effectively if your vulnerability scanners can't even
come up with accurate information on the patch levels on your