We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Security: Best practice or ancient ritual?

Security: Best practice or ancient ritual?

Time to scrap ISO 27002 security standard says its author

Article comments

Let’s face it, there’s a dreadful lack of creativity and innovation in information security today. Risk management and governance methods have changed little, if at all, in three decades.

Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.


We have a dangerous herd mentality setting in, to the point that best practices can now be considered dangerous. Whether it’s methodologies, control descriptions or technologies, we are locked into a dangerous monoculture which is leading to a growing systemic risk.   

And I’m not blaming others. I drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification. But I’d love to now see it consigned to the scrap heap. Common sense and creativity have vanished from security. Twenty years ago, the security community was full of competing ideas and practices. Now every presentation looks is the same.

A dangerous distraction

Security managers are chained to a backward-looking compliance treadmill that gives priority to old legacy practices, paperwork that no one reads, and outstanding audit actions from previous years. This distraction prevents security managers looking ahead and addressing emerging issues.

A few days ago I sat through a presentation from a legal firm who have rolled a most impressive suite of new security technology. The speaker admitted that “we’d be more likely to win business with an ISO certificate”. Unfortunately, there are few prizes for smart security thinking.     

A legacy full of holes

A more worrying problem is the impact of technology monoculture, resulting from herd adoption of market leading products. A few weeks ago I asked Jason Larsen, a top SCADA security tester, what he felt was the biggest vulnerability in enterprise infrastructures. “Best practices” he replied, “Everyone uses the same firewalls, AV and operating systems. You only have to test a new attack against a small number of products to see if it works”.

The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers. Not to mention the skill of reverse engineering that’s now needed to test application systems to the same standards used by attackers. Our professional development schemes have more holes than a slice of Emmental.   

Bright spots on the horizon

There are, however, a few rays of hope in the security solution space, though they’ve to register on the security community’s radar. The Global Security Challenge encourages and rewards innovative security technologies. Competitions like this are vital to keep promising technology start-ups alive at a time when venture capital is thin on the ground. There are also numerous opportunities from the emergence of virtualisation and trusted computing technologies.

Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective. Replacing a fixed network of physical platforms with an abstract virtual environment changes the battle space, as well as the solution and problem space. Surprisingly, very few security managers seem to have noticed this trend.

Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption. Trusted platform modules are installed in virtually all PCs and laptops. Hundreds of millions have been shipped. This technology offers solutions that are cheap, transparent, secure and easy to install and manage.     But they’re yet to be used, largely because they simply don’t feature in the security manager’s tool kit.  

Security managers would do well to consider how phone companies, satellite TV services and popular music sites secure global networks from large scale fraud. It’s usually based on a simple, cheap, automatic mechanism, rather than through the clunky, identity management systems that are more familiar to security managers. Neat proprietary solutions are powerful, though open ones are even better.   

Share:

Comments

  • Christoffer Perhaps the article was intentionally written to be biased towards a technological perspective and then I guess its fair play I believe that this bias towards technology is part of the problem not the solutionSure technology is a business enabler and can be leveraged to perform functions with more efficiency and predictability However this must still be aligned with a business vision and long-term strategyWhat we should seek is to better understand the link between technology and its impact on the enabling of business As it currently stands we are allowing technology to freely roam organizations without much thought This is equally true from the business perspective which also needs to be founded on realistic expectations of what technology can doRelying on either of the two will result in failure Its only through the unification of business and technology that we can achieve the results we desire
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *