Friday, November 20, 2009

Smart vs Stupid: But Not Why You Think So!

This slightly rambling post was born out of some fun conference discussions and well as pondering the “PCI is the Devil” theme. So, some interesting dichotomy was born as a result. Let’s temporarily call it “smart” vs “stupid” security, but if offensive labels … well.. offend you, you can pick something else instead :-)

The table below shows some concepts loosely associated with each security paradigm (of course, this whole thing is a gross oversimplification, but useful for our purposes nonetheless):

“Smart” Security “Stupid” Security
Incident response Badness prevention
Risk (to the extent understood … which is often not much) Compliance, “doing the minimum checklist”
C of C-I-A, moving to I A of C-I-A
Monitoring for attacks “Nobody wants to hack us”
Logging + log analysis No logging
Application security Network security
System perimeter, application perimeter, network perimeter, “data perimeter” Network perimeter
Firewalls, SSL, AV, IDS/IPS, WAF, SIEM, DLP, DAM, SDLC, VM, etc Firewalls, SSL, AV
People Boxes
Visibility (striving for it) – know control is impossible Control (failing with it)  - afraid of visibility
Metrics (striving for it) FUD
Want to know how secure they are Afraid to know – but want to just “be secure”
0wned (know it, care to have less of it) 0wned (don’t know and don’t care)

Now, forget my “offensive” column labels that I added to purposefully confuse you :-) Even though security literati prefer to call the left column “smart”, “correct”, “good”, “risk-based”, “new school”, etc while label the right column “stupid”, “wrong”, “evil”, “checklist-based”, etc, it is more useful to think of the left as “RARE” and of the right as “TYPICAL” if you consider the organizations of all sizes.

However, things are actually a bit worse, even “TYPICAL” security from the right column is more than some smaller organizations have.  And this is where PCI DSS comes in, an angel with a flaming sword :-) In this context, PCI is a noble attempt to bring many organizations to somewhere better than the above “typical” level. And this is why I think it is awesome.

P.S. If  you were expecting a post on why PCI sometimes IS the devil, that will come later :-)

Possibly related posts:

Dr Anton Chuvakin