<![CDATA[[SecurityRatty] tag: whack]]> http://securityratty.com/tag/whack Mon, 25 Feb 2008 10:59:58 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Andy sees the light]]> http://securityratty.com/article/71f1d10181e7d4f99a675b10639b4d19 http://securityratty.com/article/71f1d10181e7d4f99a675b10639b4d19 Andy-It-Guy comes up with some excellent observations.

He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.

(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)

This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.

The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.

Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."

Note the move from "allow all and block specific known bad" to "block all and allow specific known good".

I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.

And on top of that allow for agility.

This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.]]> Tue, 01 Jul 2008 09:40:00 +0000 whack-a-mole whack whack-a-mole solutions solutions block specific turn-key technology solutions block mole technology Andy sees the light <![CDATA[US Government planning to spend 10% of its IT budget on cyber-security by 2009. ]]> http://securityratty.com/article/aafce662d419376fb2afe9558f2cde27 http://securityratty.com/article/aafce662d419376fb2afe9558f2cde27 This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.

1.  US government should be spending more than the commercial sector. The impact of a successful attack on US government infrastructure would entail much more than reputation damage. It would effect the morale of the people and ultimately effect the economy. We have already seen reports of government backed cyber-espionage and with time, it will only increase.

2.      Some government agencies need more budget than the others. Two-thirds of the increase in 2009 cyber-security budget can be attributed to the Department of Transportation. It more than doubled its IT security budget and is planning to spend almost a quarter of its IT budget on security in 2009. I would suspect that there will be more agencies in the coming years in a similar security catch-up phase will keep US government cybersecurity spending high.

3.      Mature agencies do not require as much cyber-security spending. There was a lot of talk in the media about how all the increased spending is going to obscure agencies while budgets for DOD and DHS have increased nominally. I think, that makes sense. DOD and DHS have been spending on cyber-security before we even knew what it was. They have mature security postures and don’t need a lot of catching up.

4.      You have to ensure a healthy balance between new initiatives and maintaining existing ones. The government is spending more than the commercial sector on development/modernization/enhancement. The US government plans to spend 35% of its IT budget on “new” things. If this translates into a similar percentage for cyber-security, it puts the government well ahead of the commercial sector that stands at 25%.

5.      Compliance should not be a yardstick to measure security. There have also been rumblings in the press about how some agencies are not secure because they have not completely complied to FISMA, and some have even suggested tying the agency budgets to FISMA compliance. I think this would not be the right approach. FISMA compliance, like any other compliance mandate, can be achieved without any incremental improvement in security, as long as you know how to cross the t’s and dot the i’s.

The US government may be headed in the right direction with the spending, but the effectiveness of security will largely depend on where the money is spent.

]]> Mon, 25 Feb 2008 10:59:58 +0000 cyber-security budget cyber-security budget security government measure security security budgets mature security postures government infrastructure US Government planning to spend 10% of its IT budget on cyber-security by 2009.