I would disagree that we are lacking a driver to make a safer mousetrap. We have financial implications, industry regulations, and government regulations for compliance that can all be drivers for more security. The key difference is complexity.
For the most part, the auto industry has been looking at the same general factors associated with vehicle and passenger safety over time. They have had a considerable amount of time to focus on these issues and fine-tune previous approaches. Standards for safety have gotten more stringent over time, but I would submit that they have not drastically changed -- certainly not to the degree of information security threats and risks. Just look at the changes that have occurred in the computer realm in the past 20 years. Or even the past decade. The internet and mobile computing have had a tremendous impact on threat vectors and vulnerabilities. And, the realm of computing does not have a user education component that is as mandatory or robust as driver education is in many places. (And that's saying a lot, given some of the laxity of some driver's education programs.) Given the rate of change, and the complexity of the issues, the government is not the best entity to establish the rules of engagement except at some high, broad level. Otherwise, we end up with SoX -- complexity and cost without significant practical benefit. Additionally, unlike the auto industry, the computer industry (but not necessarily computer companies individually) encourages people to make significant changes to the product they have purchased on an ongoing basis. This means that the combination of things to protect after the fact is ever-growing. This is not a trivial problem, by far. We do, however, need more solutions which focus on all of the below: -- the end-point -- the end-user -- the various manufacturers -- the computing ecosystem A greater focus on solutions would, in fact, be much appreciated. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Aug 27, 2012 at 12:30 PM, Kennedy, Jim <[email protected] > wrote: > Yes, but I think there is a bit more that needs to be included. The > reason the car industry is safer is not because they didn’t give up.. The > car makers made cars safer because the government forced them to meet > increasingly tougher safety standards. And I believe that is what is > lacking in our industry, something driving us to make a safer mouse trap.* > *** > > ** ** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Monday, August 27, 2012 12:23 PM > > *To:* NT System Admin Issues > *Subject:* Re: OT : Humor only an Admin can enjoy.**** > > ** ** > > Well said, Ken. > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Sun, Aug 26, 2012 at 2:41 AM, Ken Schaefer <[email protected]> > wrote:**** > > Kurt, > > You introduced cars as an analogy. Please have a look at: > http://en.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year > to see that deaths due to car crashes, as a % of the population have been > falling for years in the US. That's despite the fact that there are more > cars, travelling at faster speeds, than ever before. > > I'm not saying that cars are perfectly safe - that's a strawman argument. > I'm saying that the car industry doesn't just throw up its hands in the air > and use the arguments that you are using: namely that driving a car is > dangerous and people should "suck it up". Furthermore, research continues > into ways to make cars even safer, because the industry realises that > trying to change human behaviour (whilst part of the solution - aka driving > tests) isn't going to solve the problem completely. > > As for the last part - you don't think that revealing the AV, FW, IDS/IPS > products that a company uses isn't giving away information to attackers > that could be used against that company? That's completely naïve. If I know > you are using product X, at version X, then I know that I can use > vector/attack Y to bypass it, because your product is vulnerable, or > doesn't yet detect Y**** > > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]]**** > > Sent: Sunday, 26 August 2012 3:01 AM > To: NT System Admin Issues > Subject: Re: OT : Humor only an Admin can enjoy.**** > > Ken, > > I made a small mistake in my comment to your analogy with cars - the word > isn't irrelevant, it's more along the lines of mistaken. Consider how > advanced the car industry was after 40 years. Not very. And 70+ years after > that it's still not "safe". Computing is more complex, and will take even > more time to get to a "safe" state, if it's even possible, which to my mind > is an open question. > > Kurt > > On Sat, Aug 25, 2012 at 9:32 AM, Kurt Buff <[email protected]> wrote: > > On Fri, Aug 24, 2012 at 10:35 PM, Ken Schaefer <[email protected]> > wrote: > >> I disagree. > >> > >> Car manufacturers have been constantly finding ways to make our > >> driving experience safer, and less stressful. Whilst it still > >> requires some level of co-ordination, skill and concentration to > >> drive a car, it is far safer and far easier to drive a car now than at > any time in the past. And companies are working on ways to make it even > more so. > > > > And yet deaths via car crash remain perhaps the most frequent form of > > death not due to disease. It's still dangerous. And your comment is > > irrelevant, because any activity that a) requires human interaction > > and b) has the possibility of harm to humans, financially or > > physically requires vigilance and care on the part of those > > potentially affected, no matter well understood and technologically > > developed. > > > >> Likewise the IT industry has to find better ways to keep things > >> secure rather than relying on changing the entire human race's > >> behaviour. Because the latter is a losing proposition - it always has > been and always will be. > >> > >> Constant whinging by *IT Professionals* has done nothing to change that > fact in the past 40 years. > > > > It could be argued that man's natural state is illiterate, > > disease-riddled and violent. Before we could overcome that with better > > technology, we had to change the culture, i.e., man's nature, and it > > wasn't easy. Computing is a very new phenomenon, and 40 years is a > > very short period of time to introduce a new culture. > > > >> Passwords may have worked when users only had to remember 5. > >> These days it's starting to break down. > > > > And printed words only work when you have to recognize 40 or 50 and > > maybe type your name. > > > >> So, what do to? Microsoft tried CardSpace, and building password > >> memory systems in Windows and IE. Wasn't entirely successful. Some > >> companies are trying federated identity systems (e.g. "login with > >> your Facebook account"). Maybe the government should just issue > >> people with smart cards (whether or not they are tied to your actual > identity - at least they would be relatively impossible to duplicate, with > today's technology). > > > > Tell that to the vendor of ORCA cards. And no, I don't want federated > > identities - they will be abused. Check that - they are already being > > abused. > > > >> The constant whinging about programmers, users and everyone else, on > this list, is so tiring. > >> No one is discussing solutions. Telling the entire population of the > >> developed world to "suck it up" is not a solution IMHO. > > > > It's what we have. When you come up with something that is less > > dangerous (and federation isn't it, nor are any government-mandated > > solutions) and easier, I'll listen. I doubt it will come soon. > > > >> FWIW IT admins here seem to have no compunction re. posting the > >> products they use, the configuration they have, the AV they have > >> installed, their password complexity rules, their administration > >> techniques, and the companies they work for and when they are > out-of-the-office etc. It's rank hypocrisy. > > > > Uh, you're going to have to connect those dots for me. Aside from the > > last two (revealing your company on-list is a big security mistake, > > IMHO, and OOFs are a form of moronity, regardless if they're imposed > > by corporate rules), I consider those part of the community education > > process, which is what we're trying to do with users. Of course, when > > some of our community state to users that passwords are passe without > > giving real alternatives, that would be hypocrisy... > > > > Kurt > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
