You know that alarm system you bought? How often do you turn it on? How often do you check to see if it is working? Do you think about your habits and whether having them makes you more at risk? For instance, do you close the garage door before you open your house door, ensuring that no one runs under the garage door and into the house? When you enter in the code on your alarm system, can someone see it from the windows? Do you pay for the alarm company to monitor your system? How often do you change the code? Yes, just putting up the signs in your windows or front lawn deter people, it isn’t a guarantee. Yes, buying the system is a big step but leaving it on the shelf does not do you any good. Stick with me here…
Recently I tweeted the comment that “security was better in a virtual world than a physical world”. I am a true believer in this statement and will continue to share the thought in my presentations and blog. The “push back” I received was not that the statement was incorrect but I used the incorrect words. This is exactly why I am not a huge fan of Twitter. It is hard for me to have a discussion about anything in 140 character bursts ala Twitter. I tweet thoughts and retweet other’s thoughts but having a discussion I can not. I certainly understand Twitter’s role in the industry and I certainly have not learned the correct process for it and have been corrected multiple times. Live and learn right?
What I love about security is the fact that security should always be based around a discussion. Security is NOT about products. Security is about implementation and how it is implemented. For instance, you can have a secure environment with one product… a door lock. Put the server in a locked room that only has access by one person and you never put the server on the network. Now this might be idiotic but there are use cases around it. Every security discussion requires a use case and an understanding as to what risk the customer is willing to take and then a solution is built around this. But a solution does not work unless it is implemented (correctly) and continuously monitored. If you put it in place and then just leave it assuming it is just going to work… you are crazy. Security is a daily… hourly… minute… second by second responsibility and if you take your eye off of it for just a moment, you will lose sight of why you implemented it in the first place. Security is nothing without the correct policies in place.. without defense in depth. If you do not understand the infrastructure, if you don’t know the business you are trying to protect, there is nothing that can save you.
In the long run, security isn’t better in any world unless it is implemented correctly and is constantly rechecked to ensure the implementation is doing its job. There are new viruses, new attacks, new technologies, new everything on a daily basis and in a security world, you need to keep up with it. Now I still believe that security in a virtual world is better than a physical world and luckily I had already had this discussion with the customers on the day that I sent the tweet. The customers knew why I made a comment like that but to the average citizen, they may assume that they can set it and forget it but security is nothing like that. There is a language to security and a dialog that is much longer then twitter… That is why I started this blog.