I was pretty excited this week with I discovered Answers.Yahoo.com. It has all the elements necessary to provide a forum for the free exchange of knowledge on a variety of topics, including security. It allows participants to post questions, which are then answered by the other members of the service. After several days, the question posted is closed for answers as members vote on the best answer. Points are given for posting a question, posting an answer, having your answer selected as the best answer for a specific question, etc. Like I said, I was pretty excited when I first visited this site. But my excitement quickly turned to disappointment.
Like all forums, the Yahoo Answer service suffers from user ignorance. Many answers posted are just plain stupid. Those are pretty obvious. So they cause no harm. However, there are answers selected as “best answers” that are wrong. Of course you can post comments about the wrong answer, but the participants don’t seem to care. The best answer, even if wrong, continues to rack up votes while the person requesting the information goes merrily on his or her way with an erroneous factoid lodged securely in the brain.
I decided to pass on this service. I have many other worthwhile activities to pursue. Someday, however, I hope to find a forum where knowledge and attention to accuracy actually has some meaning.
Security?
Monday, January 23rd, 2006Picture this. A security manager sits quietly contemplating the previous several months. No known successful attacks against her network. No loss of revenue or productivity due to system failure/recoverablity issues. Her team flawlessly executed two disaster recovery tests. Her boss is happy, telling everyone that the network is secure due to her efforts. Life is good. What’s wrong with this picture?
There’s nothing wrong with it if the security manager and her boss understand that this period of calm is temporary. As attackers come up with new ways to penetrate and compromise business networks, security teams must remain flexible, continuously working to adjust safeguards to keep the network safe.
Too often these periods of safe computing are perceived by management as an end state. In other words, security efforts have achieved their objectives; it’s time to move on to something else. This is dangerous thinking.
Security management is an ongoing process. It requires continous monitoring, analysis, and adjustment to maintain information asset protection at an acceptable level. It’s the responsibility of the security professional to educate her peers, subordinates, and executive management of this fact. Failing to do so will inevitably result in a weakened network defense, and an eventual attack causing significant business loss.
Posted in All, Commentary | No Comments »