The typical enterprise security today is one that is properly prepared
to sacrifice something to an attacker now so they will be 100%
prepared against it later. There's something wrong with that method
and it's part of the reason why ISECOM is taking some very new
directions in security that may seem strange or confusing to many
security professionals.
I have written up my explanation for the changes and it touches on
many sticky topics in security: Risk, penetration testing,
vulnerability disclosure, Compliance, trust, certification, and
defense. One thing that I left out is why we moved away from defense
in depth as well. However, that requires a lot more words and the
article ended up being perhaps too long as it is. So maybe in a future
article.
Do keep in mind that I tried to be nice and not lay blame on anyone or
any group. So please don't flame me for having a different opinion.
Instead, take this as a discussion point because I'm sure you also
recognize something about security isn't working.
--
Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
The typical enterprise security today is one that is properly prepared
to sacrifice something to an attacker now so they will be 100%
prepared against it later. There's something wrong with that method
and it's part of the reason why ISECOM is taking some very new
directions in security that may seem strange or confusing to many
security professionals.
I have written up my explanation for the changes and it touches on
many sticky topics in security: Risk, penetration testing,
vulnerability disclosure, Compliance, trust, certification, and
defense. One thing that I left out is why we moved away from defense
in depth as well. However, that requires a lot more words and the
article ended up being perhaps too long as it is. So maybe in a future
article.
Do keep in mind that I tried to be nice and not lay blame on anyone or
any group. So please don't flame me for having a different opinion.
Instead, take this as a discussion point because I'm sure you also
recognize something about security isn't working.
https://www.infosecisland.com/blogview/6646-Better-Security-Through-Sacr
ificing-Maidens.html
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
[ reply ]