You will find 90% of everything in the corporate world is about ego. That's an old argument I'm not going into here. Time is money == insecurity. I seriously wonder what has to happen before we security heads are listened to on many of the problems that plague us.
There's no way to know if any given security program/system is a good one or not, except by logic. Have you asked yourself truly what it is that hackers find so interesting about what they do? Studies show that MOST aren't out to cash in on you in any way - the worst of 99% would be someone wanting to host their warez. So what is it ? The basics are that they have found a medium that has set your logic against theirs. You may consider one-upmanship and ego are thus inherent. As far as "being secure" no such thing will ever come about until the medium itself changes. While saying that, much of todays' corporate security needs are done automagically and I believe this is far more dangerous (the threat coming from that nasty 1% of hackers remember) than not having the security there at all. At the moment we're trying to make the computer react to security threats like AI's and the level of logic is less than a dog has at the moment. AND it makes you lazy. I've seen people setting their tripwire reports to cmp to the day before and only alert at DIFFERENCES and things like this. I mean it's fine and makes for a small amount of data to go through but regex just doesn't have the necessary intellect to do what's needed really. Or perhaps we just need 24/7 internet security guards for those who can afford it, just like securing your property. But what would they do differently from the admins? How would they differentiate themselves? TF On Fri, 7 Jun 2002 02:03, you wrote: > I wanted to throw this question out to a broad range of security > professionals because I have been struggling with this for quite some > time. The question is simple, but the answers elude me. How does one > measure the success of a security program? I find it relatively simple > to identify a risk and mitigate it using technology, but when corporate > culture and business 'needs' butt heads with security requirements, I > find myself losing more often than not. Simple things such as DMZ > environments versus punch throughs to forcing patches on developers. > They are quite simple to understand and to implement, and the cost is > not a factor, it's plain and simple 'Time is money'. But rarely does > the 'Time is Money' come into play when rebuilding a box due to NIMDA > or some other tragedy du jour. OK, that's mostly bitchin about life, > but where I'm trying to go with this is; If you develop a sound > security program, implement it both tactically and strategically, how > do you really measure its success? The number of incidents may go > down, but even with a solid plan, the sheer number of new exploits and > the fast rate of virus propagation may make the incident numbers go > up. This really isn't a measure of success or failure in my book. Any > suggestions, recommendation or generally information would be > tremendously helpful! > > Cheers, > > Leds!
