Sometimes the best way of trying to do something or explain what you want to do is to give it some analysis. Let's take a look at "Information Security" for a little bit today and see what that means to practitioners and companies at this point in time (2010).
First lets start with a trip in the way back machine - Set the way back to 1999!
1999 - The Internet (although not officially new) is "new" to many people and businesses as corporate America and the world begins a love affair with e-mail, "the web", and all things Inter/net/web. Speed and cool whiz-bang ideas are all the rage, few people care or think to care about the risks associated with allowing everyone to see/access most everything. The only folks who are concerned are mostly government officials, people with law enforcement mentalities/backgrounds, and paranoid sysadmins who have been fighting to preserve their systems for years.
In 1999 if you asked "what does Information Security mean to you" you would get different questions from various people who you asked.
If you asked:
a user -
"huh? why should I care about that? it's not like people can see my information"
a law enforcement professional -
"I wish I knew more about how to understand what the Internet can be used for and how I can get evidence and cooperation from ISP's when I have to try to investigate things"
a sysadmin -
"I build my systems securely, it's all of those applications that the users insist on installing that makes things crash!" "If you want something secure keep it off my server!"
At this point the concept of Information Security professionals are few and far between, most organizations are just coming to understand the need (unless they are in one of the more regulated industries like financial services. Even HIPAA at this point is just a theory and the security rules have not "gone live").
If you asked management if they understood Information Security and what they have done to maintain security in their organization you would likely get the response:
"Oh yeah! we have a firewall, and we have a process for rebooting it when it crashes, nothing gets in that we don't let in!"
At this point a lot of people had the mindset that the "good guys" were on the inside and the "bad guys" were on the outside and of course they would do as was expected and follow the unwritten rules of engagement and bounce harmlessly against the firewalls. Nothing could be further from the reality. "bad guys" being of questionable morality, and of uncertain motivations and means had no interest in being detected, or in following any rules. Exploitation of systems happened with astonishing speed and regularity, and eventually tools and malware was created to provide the "bad guy" with many options of how to enter an organization. As for motivation, what was once an academic pursuit evolved into theft (of information, data, intellectual property, personal data that could be resold or used to hack further into someone's accounts or to impersonate someone and benefit from this financially - Identity theft).
The poor folks that had the responsibility of handling any type of "incident" were usually under trained on what to look for, didn't have any tools at their disposal, and had little support from management (heck who wants to fund a team that only had bad news!). It was a tough start for our heroes.
To be continued...
First lets start with a trip in the way back machine - Set the way back to 1999!
1999 - The Internet (although not officially new) is "new" to many people and businesses as corporate America and the world begins a love affair with e-mail, "the web", and all things Inter/net/web. Speed and cool whiz-bang ideas are all the rage, few people care or think to care about the risks associated with allowing everyone to see/access most everything. The only folks who are concerned are mostly government officials, people with law enforcement mentalities/backgrounds, and paranoid sysadmins who have been fighting to preserve their systems for years.
In 1999 if you asked "what does Information Security mean to you" you would get different questions from various people who you asked.
If you asked:
a user -
"huh? why should I care about that? it's not like people can see my information"
a law enforcement professional -
"I wish I knew more about how to understand what the Internet can be used for and how I can get evidence and cooperation from ISP's when I have to try to investigate things"
a sysadmin -
"I build my systems securely, it's all of those applications that the users insist on installing that makes things crash!" "If you want something secure keep it off my server!"
At this point the concept of Information Security professionals are few and far between, most organizations are just coming to understand the need (unless they are in one of the more regulated industries like financial services. Even HIPAA at this point is just a theory and the security rules have not "gone live").
If you asked management if they understood Information Security and what they have done to maintain security in their organization you would likely get the response:
"Oh yeah! we have a firewall, and we have a process for rebooting it when it crashes, nothing gets in that we don't let in!"
At this point a lot of people had the mindset that the "good guys" were on the inside and the "bad guys" were on the outside and of course they would do as was expected and follow the unwritten rules of engagement and bounce harmlessly against the firewalls. Nothing could be further from the reality. "bad guys" being of questionable morality, and of uncertain motivations and means had no interest in being detected, or in following any rules. Exploitation of systems happened with astonishing speed and regularity, and eventually tools and malware was created to provide the "bad guy" with many options of how to enter an organization. As for motivation, what was once an academic pursuit evolved into theft (of information, data, intellectual property, personal data that could be resold or used to hack further into someone's accounts or to impersonate someone and benefit from this financially - Identity theft).
The poor folks that had the responsibility of handling any type of "incident" were usually under trained on what to look for, didn't have any tools at their disposal, and had little support from management (heck who wants to fund a team that only had bad news!). It was a tough start for our heroes.
To be continued...
Comments