This seems to be the time of year that everyone is holding a security conference.  I will be attending eight from January through the end of April (and speaking at four of them.)

The interesting thing about most of these meetings is that they are usually sponsored by vendors, who believe that their product or service is the answer to all of your security needs.  This mentality that security is a “thing” that you can buy, and by installing it on your network, it will solve all of your problems is a fantasy worthy of Grimm’s fairy tales.

I think that the story of Little Red Riding Hood is a pretty good analogy to the current APT (Advanced Persistent Threat).  All of us Little Red Riding Hoods are walking through the very dangerous forest (the World Wide Web) – we are told to stay on the safe path (HTTPS, known URLs, safe web sites), but being a little curious, we may occasionally click on the sketchy link.  The Big Bad Wolf (nation states, organized crime) is out there just waiting for that click.

We all know that it’s not if we click, it’s when, so we will get eaten by the wolf.  The Hunter (the next Security Thing) comes to our rescue (sometimes they claim to stop the wolf, sometimes they just help us find the wolf and recover our grandmother and Little Red Riding Hood), but in the end, we are safe and sound, all thanks to them.

The reason that these are fairy tales is that they did not happen, but they are supposed to teach us a lesson.

My problem with this is that while all of these products may help with some aspect of security, none of them fix all of your problems, and many of them will generate so much work for you and your security team, that the real business will be buried under the millions of alerts.

Because I work at a University, it may be much easier than if I were working at a bank (if you believe this, I have some nice swamp land for sale), but I have always felt that security is a process and you need to have a philosophy to follow in order to create a secure environment.

My philosophy of security for Columbia is:

  • Always remember that Columbia is a school and not a bank
  • By protecting the world from Columbia  (i.e. locating and removing any compromised system on the Columbia network) we will protect Columbia
  • We have complete control over our own network
  • One size never fits all
  • There is no such thing as perfect security
  • Education and technology are equally valuable
  • Always remember that you are in a people business

One size fits all security (buying the right Thing) is not effective because, in the end, there are many paths through the dangerous forest, and all of your Little Red Riding Hoods will not always stay on that safe path.

Leave a Reply