Skip to main content


Showing posts from June, 2011

Get with times, decentralized security is so 2000 and late

You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.

"Were so big we have to be decentralized"

There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.

"Our business unit is so different we need our own team"

This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.

"This is the way we have always done it here"

This is by far the weakest thing…

Shooting Blanks FTL

How many times in your career have your heard there are no silver bullets? I'm sure its been quite a few times and then some. It definitely needs to be apart of your infosec mantra to ensure people don't have a false sense of security. It should be well ingrained that [AV, FIREWALLS, IPS, PROXIES, *] don't stop sophisticated attackers. They are at best a speed bump in the road.

So what is the point of this post? I've noticed a disturbing trend in the industry of knowledgedable individuals going to the opposite of the spectrum. Instead of taking a practical approach they shoot down any security control based on its flaws. One of my favorite quotes illustrates this perfectly.

Narrator: Tyler, you are by far the most interesting single-serving friend I've ever met... see I have this thing: everything on a plane is single-serving...
Tyler Durden: Oh I get it, it's very clever.
Narrator: Thank you.
Tyler Durden: How's that working out for you?
Narrator: What?