State of Insecurity

I highly suggest reading "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security".

It's an in-depth (and lengthy) look at the current state of security (or rather lack of security). And while I disagree with some of the ideas presented, on the whole it is a thoughtful and insightful piece.

First, the good. The article, by Noam Eppel of Vivica Information Security, manages to consolodate much of the recent news into a cohesive presentation. His point, that Information Security is fundamentally broken, is well supported by numerous sources and examples.

However, there are a few specific points that I disagree with. First the idea that "information security professionals need to identify every single vulnerability and potential risk and come up with suitable and practical fix or mitigation strategy." The real trick to securing your information systems is to create an unassailable position by applying strategies that protect against attacks - even those that we are not aware of. Positive security is a perfect example of this.

Second, I disagree with the assertion that "Security is a full time job which requires [...] purchasing a deluge of costly technology systems and devices." Some of the best protections are systems you already have. In many cases open source systems are better than their commercial counterparts.

Finally, I think the author is a bit overreaching with "The security of an entire network can be compromised by a printer with a remotely exploitable vulnerability." With proper compartmentalization in your security architecture, the most a printer vulnerability should affect is the printer.

Here's my take on how we got to where we are. The protocols that run the Internet were built on a broken trust model. And while we can do a lot to protect systems under our care, our reach ends at our network edge. Furthermore, true information security controls are still seen as a burden on companies. Often companies still use default-allow policies for network traffic, system permissions, and more in the name of increased productivity.

I am looking forward to the second part, which promises to list some solutions to the situation.