Finally, another security post! You must have thought I'd forgotten all about this topic. :) Honestly, I have a few ideas in notes at home, but haven't been motivated to write lately. But that's all about to change as of right now.
I have three different items for you today. First, in "Um, no." I talk about a recent posting on the Symantec Security Response Weblog that is, well, rather moronic. Next, "Don't be stupid." is a quick pointer to another excellent Bruce Schneier blog post on counter-terrorism stupidity. Last, Richard Bejtlich at TaoSecurity has a great list of responses, from worst to best, that measure the degree of proof provided in response to the question "Are you secure?".
Um, no.
First up, a nominee for dummy of the week. Seriously, I sometimes wonder what people are smoking. Now, granted, this person came up with this inanity while subjected to the extremes of Las Vegas. But, I ask you, is that any excuse for not linguistically comprehending that "moderate" and "reduce" are functionally equivalent? More importantly, the first part of the provided definition for "mitigate" is "to lessen in force or intensity." Isn't that what we're trying to do with risk mitigation? To lessen it?
None of this surprises me too much, though, when I read on and learn that he (and allegedly his colleagues?) believe that you can do the following with risk:
- transfer (a la "like the classic insurance model")
- reduce ("by taking actions that minimize the risk")
- accept ("look it right in the eye")
- ignore ("pretend like it is isn’t there")
This last one is new to me, mainly because I consider ignoring risk to be implicit acceptance, but ok, fine, whatever. We finally get the point at the end, though, which is not his overt linguistic confusion, but this:
"So, what I’m really getting at is, “risk mitigation” is an outdated phrase and risk management is really what we need to focus on as IT risk specialists."
So, in a nutshell, he's kind of an idiot. Risk mitigation is a component of an overall risk management approach. It is, in fact, that "reduce" action that he lists. But, apparently, this is too abstract of a thought.
Read A Closer Look at “Risk Mitigation” here:
http://www.symantec.com/enterprise/security_response/weblog/2007/11/a_closer_look_at_risk_mitigati.html
Don't be stupid.
As usual, Schneier has hit the nail on the end when it comes to stupidity in this so-called "war" on terror. The war really seems to be against citizens given the constant assaults of warmongering and FUD. This time around, Schneier is discussing the major downsides of having the average Joe play spy/police. It seems that this whole "innocent until proven guilty" concept, as guaranteed by that insignificant document, The US Constitution, is being ignored. And, you know, for good reason. I mean, look how many terrorist attacks your average 7-11 clerk has stopped, right? Yikes... a little common sense, folks! Refuse to be terrorized (by your government)!!!
Read The War on the Unexpected here:
http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html
A cool list.
Richard Bejtlich over at TaoSecurity put up an interesting post recently that provides a scale of answers to the question "Are you secure?" Based on the answer, he proposes that you can gauge the degree to which the organization is actually secure. It's really an excellent thought, pulling together what we in the industry know about security, combining it with a little bit of social psychology. Good stuff.
So, what sort of answer do you want to hear? This would be great:
"Yes, we do not have any indications that our systems are acting outside their expected usage patterns, and we thoroughly collect, analyze, and escalate a variety of network-, host-, and memory-based evidence for signs of violations. We regularly test our detection and response people, processes, and tools against external adversary simulations that match or exceed the capabilities and intentions of the parties attacking our enterprise (i.e., the threat)."
Read Are You Secure? Prove It. here:
http://taosecurity.blogspot.com/2007/10/are-you-secure-prove-it.html