The information security field is not yet fully mature; there is a lack of cohesive interoperable framework.   The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS).  On the Firewall arena: the focus has moved from perimeter security to end point security.  There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without co-ordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of

security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

The attitude of IT security leaders and security team members has a significant impact on security.  Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete  information security but accomplishing a well managed information security program is an attainable possibility.

• Application/Service layer -39%
• OS/Platform layer - 23%
• Exploit known vulnerability -18%
• Exploit unknown vulnerability - 5%
• Use of back door -15%

That is over half - 62% of hacks — targeting the OS and App layers. Breaches have been moving up the OSI stack in recent years.

Taking the bot controller offline may kill a botnet. As a result, many bots use a Dynamic Domain Name System (DDNS) or have a list of backup IP addresses to survive such an event. Bot technology is rapidly evolving, often aided and abetted, unfortunately, by the open-source movement. [Emphasis Matt's.]

So Matt does his due dilligence and cannot find any evidence to back up what McAfee says. On top of this Matt remembers that McAfee said in in a recent financial statement that open source licensing is a threat to its business (again these are Matt's words). From there Matt looks up botnets in Wikipedia or some other such place and finds out that botnets are mostly installed on Windows machines. Well that is all this open source watchdog needs to get him going! Of course Windows gets more botnets, after all it is not as secure or as good and the people who use it are not as smart as Linux, the darling of the open source crowd.

So here is my problem with Matt's positions. Number one on the white paper, I don't think McAfee was talking about Linux versus Windows at all (as much as Matt would like to think so). I think McAfee is referring to open source applications like dynamic domain name systems (DDNS) and other open source enabling technologies. There is more to open source than Linux Matt. McAfee is saying that hackers are using the same open source components and network enablers that many legitimate applications are using, to make more effective and dangerous malware. The open source crowd is not doing it on purpose, but it is being used. What is the big deal here. Matt don't you agree that people can use tools for good and bad. Just because it is open source does not mean it cannot be abused or used for malicous purposes. Stop being so sensitive Matt!

Further on McAfee's earlier statement about open source licensing being a threat. Come on guys. It was boiler plate provisions that some of the applications and products that McAfee itself sells contain open source components. Depending how and when a real court ever interperts OSI licenses like the GPL it could have a profound impact on McAfee's business. It could have a profound impact on a lot of businesses for that matter.

Bottom line Matt, I think you are barking up the wrong tree here. Why not head back to the doghouse and wait for the next unsuspecting stranger to walk by and who tries to say anything bad about open source. Me, I think I will appreciate all of the good that open source brings, but realize it can be used as an agent for evil as well.