Article 1: You’re Not Alone, We’re All Confused
This article is part one of a three-part series titled “Security – Back to the Basics”. The purpose of this series is to take you from a state of confusion about information security (article #1 “You’re Not Alone, We’re All Confused”) to an understanding of information security basics (article #2 “Information Security Basics”). The third article (“Basic Security Starts Here”) will wrap the series up with some practical advice about what to do next.
The Confusion Pandemic
At no point in the history of our industry, the information security industry, are things more confusing than they are today. Some days it seems like everything is confusing about this industry, and not just confusing to the layperson, but confusing to the experts as well.
Here’s just a couple of examples (out of thousands) to prove the point.
No matter where you look there’s a news article about the latest breach or a sales pitch for the newest gadget that will protect your organization. The news articles often state how “sophisticated” the attacks were and how skilled the attackers must have been. The sales pitches for new products tout how they can stop attackers in their tracks. People buy out of fear, the new product companies make millions, and your security is supposed to better. Is it?
Here are a few recent examples of news stories:
- “has the hallmarks of a sophisticated attack” – Regarding the Office of Personnel Management breach affecting 21.5 million current and former federal workers.
- “4,000 apps were infected as a result of the sophisticated attack” – Regarding the recent Apple App Store attack.
And the product pitches:
- “Stop sophisticated attacks that a firewall alone can’t stop with our Intrusion Prevention System (IPS)” – Sophos Unified Threat Management product
- “Now you can mitigate sophisticated cyber-attacks, identify the root cause of security incidents and thwart data breaches.” – ManageEngine EventLog Analyzer
Two questions come to mind; 1) are the attacks that we read about really that “sophisticated” and 2) how important is it that we stop the “sophisticated” attacks?
In truth, most of the attacks really aren’t very sophisticated and the products being pitched are not as effective as they claim. Protecting against “sophisticated” attacks is probably not your biggest concern.
The information security “experts” in general are just as confused as everyone else.
If you ask ten information security experts for their definition of information security, how many different answers do you think you would get? If you answered ten, you’re probably pretty close. I had one CISO simply state that “information security is keeping the bad guys out”. Is this CISO’s definition a good definition? I can tell you that it differs from mine. We’ll cover this question in more detail during Information Security Basics (article #2 in this series).
Confused? This article probably did nothing more than cement the confusion. That’s good. We’re going to tackle the confusion by covering the basics of information security in our next article.