I always remember talk about attack and defense theory, in most simple form it says prepared defender has 3 to 1 advantage over attacker, or prepared defending force will destroy as many as 3 times forces which are attacking. That is war and blood proven theory but why it is not working like that in IT attack and defense ?
I love to think about it :)
It says prepared defending force, a joke if we are talking about current IT systems, government or business. Just check trough different reports about incidents, data breaches etc .. it shows clear sings of system being neglected, not administered or deliberately ignored.
And still if you read about people involved, titles and references a lot of certifications and buzzwords. A lot of certification around which will certified systems, tools, people ... a bit fishy since it's a very lucrative market.
My favorite thing is CISSP certification, very popular among people managing or directing IT systems, but I have a wooden feeling about something designed by accountants for accounting auditing approach, not system engineering approach. A long exams of questions to provide out of textbooks and standard answers, but nothing practicals and worst of it nothing creative or even scientific in method. If you read about it shows pure theory and standards, something what nice to have but gives you so beautiful false feeling of capabilities and knowledge. There is not much mentioning of practice or experience of real systems or effective analyses and such. It gives me image of someone using procedures without understanding why this procedures are there in first place and without clue how to create new procedures (it a politically correct saying knowing when to break old procedure because it does not make sense any more).
It always remembers me on Admiral Hyman Rickover and his attitude in project management, system management and control. It is a bit dinosaur approach but I still think it is worth of rethinking and putting into context of modern world. Implications of developing strategic nuclear submarine fleet was essential for world survival during cold war, it actually was a key element in MAD triad approach which made mayor war senseless or no-winnable. There are some similarities in securing IT systems today, especially critical systems. From forums and conferences it is obvious that US DoD and rest of military is thinking about it, but for non military I'm not sure.
It is worth of reading his papers and some additional materials on nuclear strategy, especially on quality control problems in early submarines and training and personal issues and think about long term implications. Lessons learned in that far away period are still valuable but it is not straightforward how to apply it. I suppose simplification and lack of understanding of whole system and even not willing to understand your system are critical problems today something what is not possibly to solve trough current trends and practices. All this gives attacker from first paragraph a huge advantage.
8th October 2017
Very nice article "What's wrong with the CISSP talks about how certification can be misunderstood and implications of this misusage
I love to think about it :)
It says prepared defending force, a joke if we are talking about current IT systems, government or business. Just check trough different reports about incidents, data breaches etc .. it shows clear sings of system being neglected, not administered or deliberately ignored.
And still if you read about people involved, titles and references a lot of certifications and buzzwords. A lot of certification around which will certified systems, tools, people ... a bit fishy since it's a very lucrative market.
My favorite thing is CISSP certification, very popular among people managing or directing IT systems, but I have a wooden feeling about something designed by accountants for accounting auditing approach, not system engineering approach. A long exams of questions to provide out of textbooks and standard answers, but nothing practicals and worst of it nothing creative or even scientific in method. If you read about it shows pure theory and standards, something what nice to have but gives you so beautiful false feeling of capabilities and knowledge. There is not much mentioning of practice or experience of real systems or effective analyses and such. It gives me image of someone using procedures without understanding why this procedures are there in first place and without clue how to create new procedures (it a politically correct saying knowing when to break old procedure because it does not make sense any more).
It always remembers me on Admiral Hyman Rickover and his attitude in project management, system management and control. It is a bit dinosaur approach but I still think it is worth of rethinking and putting into context of modern world. Implications of developing strategic nuclear submarine fleet was essential for world survival during cold war, it actually was a key element in MAD triad approach which made mayor war senseless or no-winnable. There are some similarities in securing IT systems today, especially critical systems. From forums and conferences it is obvious that US DoD and rest of military is thinking about it, but for non military I'm not sure.
It is worth of reading his papers and some additional materials on nuclear strategy, especially on quality control problems in early submarines and training and personal issues and think about long term implications. Lessons learned in that far away period are still valuable but it is not straightforward how to apply it. I suppose simplification and lack of understanding of whole system and even not willing to understand your system are critical problems today something what is not possibly to solve trough current trends and practices. All this gives attacker from first paragraph a huge advantage.
8th October 2017
Very nice article "What's wrong with the CISSP talks about how certification can be misunderstood and implications of this misusage
No comments:
Post a Comment