JeffBolden.net

During my daily RSS scan this morning I noticed this article on DarkReading that is sure to spark a lot of debate over the next few days.

Computer Forensics Show 2008 — Peter Tippett thinks it’s time for security professionals to wake up and stop wasting their energy.

In a presentation here yesterday, Tippett — who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus — said that about one third of today’s security practices are based on outmoded or outdated concepts that don’t apply to today’s computing environments.

Once you get past the incendiary statements, it seems to me like Peter is discussing getting back to basics with our security thinking. Nothing is 100% safe, but in the rush to try and secure everything, many tend to forget about the basics. It seems the past two years many companies (and many in the netsec field) have gone overboard in trying to manage every risk to the point of CYA insanity, instead of using a more holistic approach of basic security best-practice and prudent risk assessment/management. As anyone that has worked in the security field knows, we netsec folk have to get a million things right to keep the bad guys out, but the bad guys only have to get one thing right to get in. Of course, that’s why the argument for defense-in-depth is so important.

Yet, while I do agree with most of the points Peter brings up, we can’t just throw up our hands and give up. We still have to approach security with due diligence as one of the goals.

There is a good discussion on the article over at Slashdot. Put on your fire-retardant suit before clicking the link…