Diversity as a form of Defense in Depth

Posted January 25th, 2007

I was thinking about David Maynor’s post on Cisco’s latest security updates. His feelings are quite clear on the danger of a homogenous network:

Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen.

A homogenous network is a weak network. Yes, all products from every vendor have bugs and vulnerabilities. In a homogenous network, all of those bugs and vulnerabilities are arranged like a row of billiard balls. One good smack on one end will travel clear to the end of the row. In a heterogenous network, the bugs and vulnerabilities don’t line up so neatly. In fact, the heterogenous network looks more like a set off balls randomly dispersed on the table. A bump on one side is far less likely to make it all the way across – that is a form of defense in depth.

January 25th, 2007 | Tags: | Category: Uncategorized | Leave a comment

Who wants to be a security actor

Posted January 18th, 2007

If we have security theater, then we must have security actors. Wouldn’t you love to be one? Now you can.

January 18th, 2007 | Tags: | Category: Uncategorized | Leave a comment

Thoughts on Jim Harper’s talk

Posted January 18th, 2007

While Washington, DC may not have a lot of companies working on identity technologies, it certainly has a lot of bright people working on identity policies. This afternoon I got to hear one them, Jim Harper, speak about his research into identity and identification and his subsequent book, Identity Crisis: How Identification Is Overused and Misunderstood. If you haven’t read it yet, do so. It is an approachable survey of identity management and identification issues facing the U.S., set in the context of the REAL ID Act. (The short blurb I gave my mother-in-law about the book was enough to get it into her reading stack.) This wasn’t the first time I had the opportunity to hear Jim; Phil roped him into giving a keynote at Digital ID World last year.

There were two items I took away from his talk. First, Jim has an excellent analogy on how we protect physical assets versus how we “protect” electronic financial data. How many keys do you have in your pocket or purse? I’d wager it’s probably more than three. I’m also confident that you have a bunch more keys at home in the drawer somewhere. Each key matches up to an important physical asset: an apartment, a bike, a car, a safe, etc. In fact, you may even use multiple different keys to secure the same physical asset. Although convenient, I don’t think anyone would use the same key for every asset they own; just the idea of it seems somehow unsettling. Jim makes the point, if people don’t use a single key for securing their physical assets, how come we have (or are coming dangerously close to) using a single key, social security number, for “securing” all of our financial data?  Continue reading "Thoughts on Jim Harper’s talk"...

January 18th, 2007 | Tags: , | Category: Identity Management | Leave a comment

More fun with airport (in)security

Posted December 20th, 2006

How much are we spending on airport security? How much have we already spent? Somewhere a bad guy is laughing so hard at this he’s actually peeing his pants.

December 20th, 2006 | Tags: | Category: Uncategorized | Leave a comment

NYT on Airport Security

Posted December 19th, 2006

The New York Times examines the TSA and airport security. Priceless.

December 19th, 2006 | Tags: | Category: Uncategorized | Leave a comment
Older Entries »  
Home
  « Newer Entries