It's that time again, and Kevin Riggins serves this weeks fudsec dish.  If you have any influence over infosec purchasing decisions where you are, you should read this.  My thanks to Kevin!

By

Kevin Riggins

Do a Google search for the following: 

"make.*secure" +"press release" computer network 

Go ahead, I’ll wait. 

When I sat down to write this piece, I searched for that phrase. My results? 303,000 items. Granted, many of them have nothing to do with information security, but the first three in my search results did. 

It seems like I see advertising or a press release just about everyday that spouts some sensationalist drivel about how you are going to get hacked in the next five minutes. This is followed up with “just install our product and you will be secure.” These ads and press releases are aimed at both individuals and companies. 

First, I want to make something clear. I am well aware that if you stick an unprotected machine on the internet, it is not going to last 60 seconds, let alone 5 minutes. I am not arguing that the threat isn’t real.  

The problem I have is the use of fear to sell an idea that is patently false. That idea is that any product can make a system or network secure. There is exactly one way to make a system or network completely secure. Keep it turned off. 

The best we can hope for is to increase the security of our systems and networks by:

• making risk appropriate decisions about what technologies to implement
• making appropriate design decisions, again, based on risk
• ensuring that the products we use and build are engineered in a manner that addresses known issues and resists the introduction of new vulnerabilities.

Yup, I said it, risk management, intelligent design, and secure development will make your environments more secure. They will NOT however, MAKE you secure. Nothing will. Sorry.