Another interesting article came up on my radar this week. This article, entitled "7 Dirty Secrets of the Security Industry" covers what Joshua Corman, principle security strategist for IBM/ISS are the 7 secrets that security vendors don't want you to know. To read the original article, check out http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdocs/news/2008/050108-interop-dirty-security-secrets.html
Like most wonks (including myself) he's more often wrong than right regarding these secrets. To prove this, let's take a look at each of these:
Antivirus Certifications are misleading. Corman states that "Certification means a product caught 100% of 25% of the bad stuff". He doesn't provide any data to back up this claim, but I don't have any data either, so let's give them one to him. The data backing up his claim certainly appears to be a secret.
There is no perimeter. He's where Corman is dead wrong, as we've discussed many times on this site. As we know, there is no "perimeter", there are multiple perimeters. And using his own words, you'd have to believe in Santa Claus to believe there are no perimeters
Risk analysis threatens vendors. He essentially is saying that if companies analyze their requirements, they won't buy security software. He's right and wrong here. In some cases, companies won't buy security software after doing a risk analysis. In other, and arguably more frequent cases, companies will do a risk analysis and realize that they do need to purchase security software. So, Corman is half right here, but more importantly, half wrong.
There is more to risk than just weak software. Corman gets an A+ for being right about this one. The weakest link in the security chain is your users' not complying with computing best practices.
Compliance threatens security. Corman makes a somewhat slippery conclusion that if an organization seeks to comply with industry regulations, they will provide attackers key information about what exactly has been done to secure the network and it's data. As we know here at Windowsecurity.com, regulatory guidelines are so vague that any information an intruder might have about your defenses by using those guidelines is worthless. In fact, the entire process of regulatory compliance forces a company to look at their current security posture, and thus overall improves security due to increased awareness and attempts at due diligence. Here again, Corman is wrong.
Vendor blind spots allowed the Storm worm outbreak to happen. The argument Corman makes here is that AV solutions are not perfect, and also they don't work if you don't have them installed. What can I say here? Yes, he's right. But this is no secret.
Security has grown well past do-it-yourself. Corman says that software needs to be installed and configured. Yep, you bet. And your IT staff can do this themselves. Not only is this not a secret, it's just incorrect. I know hundreds of companies that manage their own security, and do it well. Again, Corman comes out in the Red on this one.
I'm glad Joshua came up with these secrets and gave a talk about them at Interop in Las Vegas this year. I found them very interesting, and clearly he was trying to stir up the crowd. Sometimes when you stir up the crowd you have to mislead them a bit. Just as when P.T. Barnum told his crowd "this was to the egress!"
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)