Tuesday, September 19, 2017

What can we learn from Equifax?

So, anyway, this year the world has taken a couple of pretty big hits, between Equifax and RansomWorms like WannaCry. It's time to see what we can learn from them. Let's think about Equifax first. Although it left a bigger mark, it's a simpler solution. Patch, damnit! Patch! It's got nothing to do with some poor soul's music degree, or lack of degree. The patch was released months ago, and it was simply a grievous mistake to not patch, but people are human, and, unlike my dear readers, very few of us never make a mistake. It's also worth remembering that, just as humans are only human, all software has a weak underbelly if you look hard enough. One of my favorite security truisms is that security and functionality tend to exist in an inverse relationship. What this means is that the more functional you make something, the less secure it tends to be, and the world demands that we build for functionality. What this means is that someone will always be discovering a problem with something we care about, and if there's a patch available, patch it. Job done. Well, _that_ job's done, but there are other issues... You might be spear phished. You might get a malware infection. There are plenty of those to go around. You might have un-patchable IoT devices on your network. This is all still emerging. We will talk about these things at other times, but remember this ... there is no panacea. Remember that the best security is like layers of swiss cheese. Any one layer has lots of holes, but if you layer another slice on top, they cover up each other's holes. Put enough layers on top of each other, and you are much stronger. Never invulnerable, but _much_ stronger. This, unfortunately, is a part of the fabric of the Internet, and is simply a cost of doing business. It hurts, but it is what it is. Take care out there, folks. Www stands for World War Web.

No comments: