I noticed a lot of interesting topics/news coming from the Black Hat conference last week such as:
No doubt, these are all worthy topics that will help improve information security over the long haul…researched and presented by people who are much smarter than me.
Yet, given where most businesses are with information security today, we’ve got *much* bigger things to be concerned with such as:
These are all things I find on a consistent basis…Not because I’m smart but because they’re very predictable and often go ignored.
“Can’t see the light ’til you open your eyes” …minimal yet insightful lyrics from one of my favorite bands, Black Country Communion. The “light” that people aren’t seeing because they’re being distracted by flashy headlines, sky is falling “exploits”, valueless auditor mandates, or IT execs who are (ironically) “threatened” by information security is the very light that’s going to end up biting them if they’re not careful…such as the items listed above.
I read something recently from sales/achievement expert Jeffrey Gitomer that said “People who are cocky and arrogant say, I know that and move along. People who are confident and positive ask themselves How good am I at that? and seek to improve.”
Great tie-in to the point I’m making. Which side are you on?
Concentrate on the fundamentals and nothing else for now and as long as it takes to ensure you have true control over the information security basics that have been around for decades. Otherwise, you’re ignoring the obvious that will rear its head at some point. As we see time again in the research studies (Verizon DBIR, etc.), odds are much greater that you’ll get bitten by something silly rather than a niche exploit that hits a relative few.
Finding and fixing the low-hanging fruit (the 20% of vulnerabilities that cause 80% of the problems) is something I’ve been advising for years and I’m going to keep doing it because that is where the risk is.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”