mailing list archives
Re: Security Paleontology - The Jurassic Park rule
From: Dennis Groves <dennis.groves () gmail com>
Date: Thu, 17 Jul 2014 14:04:03 -0700
On Thu, 17 Jul 2014 10:11:02 -0400
William Arbaugh <warbaugh () gmail com> wrote:
On Jul 17, 2014, at 9:51 AM, Dave Aitel <dave () immunityinc com> wrote:
I got a bunch of replies that said this:
Dave, enjoyed reading your rant, but I don't understand your
punchline on securing data --"but in fact, just to make it less
valuable" - how do you do make data less valuable? """
Ultimately, we're suffering from the sins of the early days of
information assurance. The focus then, as now, was on protecting the
computers and networks. Instead, the focus should have been on
protecting the data.
Data is IT Security, and you are correct it has to be protected and
to date it seems this has not been done well, if at all.
However, Information Security is about protecting the VALUE created by
the data for both the business and its customers. Businesses are
trading on the /value creation/ not the data. That value is usually
unique to the business, and the business is able to do something
faster, cheaper, at scale, bespoke or whatever for the customer.
Additionally, that value which is created is also valuable to those
whom may also be able to benefit either from the disruption or
destruction (sabotage) of that businesses value creation or from being
able to profit from that value that the business created (arbitrage).
Information security is much harder because that value creation is very
often not found in a hard assets, but often in things like the
efficiency of a supply chain or some other epiphenomena that results
from the system.
If you don't know the threat, how do you know what to protect?
If you don't know what to protect, how do you know you are protecting
it? If you are not protecting it, the adversary wins!
Dailydave mailing list
Dailydave () lists immunityinc com