This slightly rambling post was born out of some fun conference discussions and well as pondering the “PCI is the Devil” theme. So, some interesting dichotomy was born as a result. Let’s temporarily call it “smart” vs “stupid” security, but if offensive labels … well.. offend you, you can pick something else instead :-)
The table below shows some concepts loosely associated with each security paradigm (of course, this whole thing is a gross oversimplification, but useful for our purposes nonetheless):
| “Smart” Security | “Stupid” Security |
| Incident response | Badness prevention |
| Risk (to the extent understood … which is often not much) | Compliance, “doing the minimum checklist” |
| C of C-I-A, moving to I | A of C-I-A |
| Monitoring for attacks | “Nobody wants to hack us” |
| Logging + log analysis | No logging |
| Application security | Network security |
| System perimeter, application perimeter, network perimeter, “data perimeter” | Network perimeter |
| Firewalls, SSL, AV, IDS/IPS, WAF, SIEM, DLP, DAM, SDLC, VM, etc | Firewalls, SSL, AV |
| People | Boxes |
| Visibility (striving for it) – know control is impossible | Control (failing with it) - afraid of visibility |
| Metrics (striving for it) | FUD |
| Want to know how secure they are | Afraid to know – but want to just “be secure” |
| 0wned (know it, care to have less of it) | 0wned (don’t know and don’t care) |
Now, forget my “offensive” column labels that I added to purposefully confuse you :-) Even though security literati prefer to call the left column “smart”, “correct”, “good”, “risk-based”, “new school”, etc while label the right column “stupid”, “wrong”, “evil”, “checklist-based”, etc, it is more useful to think of the left as “RARE” and of the right as “TYPICAL” if you consider the organizations of all sizes.
However, things are actually a bit worse, even “TYPICAL” security from the right column is more than some smaller organizations have. And this is where PCI DSS comes in, an angel with a flaming sword :-) In this context, PCI is a noble attempt to bring many organizations to somewhere better than the above “typical” level. And this is why I think it is awesome.
P.S. If you were expecting a post on why PCI sometimes IS the devil, that will come later :-)
Possibly related posts:
