Where Obfuscurity Meets Negligence

2009-10-21 19:24:42 by jdixon

There are people out there who would argue that Security through Obscurity is better than no security at all. They advocate port knocking or running applications on "random" ports. Certainly, I'm not one to go around broadcasting my attack vectors to random visitors (oops!), but that doesn't mean it's a rational means of protection (honest, I'll pull out this time).

Read the rest of this story...

The Doctrine of Security

2009-08-21 23:22:36 by jdixon

Recently I had the opportunity to do an interview for a story on SMB security issues. The conversation reminded me just how easy it is, as a security professional, to paint everything in black and white. Hackers are good or evil. Software is secure or vulnerable. Vendors are responsible or stupid. But this really isn't how businesses operate.

The primary focus of most businesses is to engage in commerce. Often we overlook this basic fact when a company neglects to patch their systems and becomes a target. We argue that if the owner was serious about protecting his money, customers or data he would be more proactive. But do we have all the facts to make this judgment?

Every decision in business carries risks and rewards. Responsible patching seems like a no-brainer. Perhaps the company webserver is used for basic order submissions. No personal or private data is stored locally. Is it really harming anyone if the website gets defaced for a week until the owner's nephew stops by to reinstall it again? Certainly you could argue that the defacement reflects poorly on the business, but again we need to consider the risk vs reward scenario. If it costs less to leave a defaced server running than to call an after-hours professional, is that really a poor decision?

Don't get me wrong, this scenario would drive me nuts. And that's exactly why I'm a geek and not an accountant. On occasion we need to take our blinders off and consider the alternatives. Security is a process, not a moral standard.