You can take take the "A" out of security, but you can’t take…wait… what?
Since I haven’t been doing a lot of serious posting for a while, it has been a while since I had an altercation with The Hoff on anything. But now it is in full swing, and I have to say that I have missed this a lot!
So here’s the deal for those of you just joining the program. There was an article posted a couple of days ago that said business people were becoming more concerned with availability than security. I expressed my incredulity here with a very simple and direct question. I got a quick verification of my point by Mr. Wismer, and I felt I had done my duty in protecting the CIA Triad once again. I think the first time I posted about this was back in March of 2007, when OpenBSD people were discounting a buffer overflow vulnerability in their code as NOT a security issue. This simply befuddled me because availability, in my old world, is an inseparable part of security (And Chris, it does mean what I think it means – “old” doesn’t mean we are old, maybe just conservative). I wrote this off to some people trying to get away with skewing statistics so they looked better on the security reports at the end of the year.
Of course, I could not have been more wrong in thinking that my day of heroic pursuits was done. First, I got the scalpel from Dr. Chuvakin (I know, I know… he’s not that kind of doctor – but it sounded cool. And seriously… PHYSICS??). Then I got drop-kicked by The Hoff on my blind side (which, incidentally, is the direction from which Chris always hits – not complaining at all, he just seriously has a really cool mind that makes him have wonderfully refreshing lines of thought).
So I saw all of this, weighed responding against how much work I had to do so I could have family night with the wife and kids, and I decided to work. So by the time I got around to hitting back, I really didn’t feel like arguing too much. But I did a little bit, and that quick quote can be found here. Chris responded and called me a redneck. Mr. Wismer entered the fray again. Chris posted about it so it would have better visibility. Anton presumably has better things to do (I don’t blame him at all). And one more comment by Chris, and here we are… sheesh…
OK, now that you are all caught up and have read all of the comments and posts with serious interest, here’s my response… What were we talking about? Oh yeah, information security…
So I thought originally that Hoff missed my point on the first comment he made. He seemed to think that I thought the “C” and the “I” should come before the “A”, just like all us old dogs with allergies. Of course, that is not what I meant at all. I was actually arguing that people keep taking the “A” out of information security (search for CIA Triad on your favorite search engine). So now this article pops up, and I really got a little peeved.
Now, as to Anton’s point, this article was from more of a business centered IT magazine. So I get it from that angle. Chris even argues from that angle as well. But still, Chris’ first take on my argument was not correct, and I felt that I needed to clarify that. I think in some weird way, we were actually agreeing.
But my overall point in all of this is that I think the definition of information security has been skewed as security has been more and more commoditized. And I don’t necessarily disagree with the skewing because I think the definition has actually become almost all-encompassing and has removed a lot of stovepipes that needed to go away. EVERYONE touches security now. From the switch guy to the server gal to the router dude to the firewall chick. Sure, the “security” group may tell those people what buttons to push, but the “on-the-front-lines” people still push the buttons.
In the same way, there really is no pure security solution out there now. Too many products serve duel purposes. Almost every product, whether it be an application or an appliance, has security built in. It may be nothing but a marketing gimmick so the word “secure” can be placed on the website, but no one disagrees that it is there. Take for instance the switch. Not too many years ago, switches did nothing but push packets. Now they are becoming an integral part of security through 802.1x and other NAC functions. Take the firewall and router. Those two products, at least for the SMB, are becoming a single product.
And because of that, many companies consult on IT practices as well as security practices because you really can’t separate the two anymore. IT frameworks build in security now (ITIL and COBIT). Chris says risk management encompasses security, and I see his point. But my take is that security is the whole, and ALL the other areas are pieces. Yes, people still code and expect the network to protect the code, but that is becoming less common. I see it everyday just as you do Chris. I see people getting pwned due to application vulnerability. Just ask Jeremiah Grossman and my friend David Nester from HP who is now posting on this blog.
Security has to be thought of almost before anything else. Have an idea that is going to revolutionize the IT world? My first question is, “How do you secure it?” And that means, “How do you make sure it is available while at the same time making sure everyone’s data doesn’t get leaked?”