Computerworld - I've heard many metaphors for information security, but one of the more interesting ones compares IT security to the field of dentistry. Dentists used to spend all of their time fixing cavities, and information security professionals did nothing but respond to intrusions. Now dentists and security professionals alike focus much more on prevention and less on remedies. Dentists emphasize cleanings, fluoride rinses and sealants; IT security stresses training, patching and removing risks. When IT security professionals assign passwords, they give the same advice as dentists offer when they give out toothbrushes: Change it often, and don't share it with others.
IT security certainly can't be summed up with a single metaphor, but if pushed to do so, I'd liken my team's role to that of the space marines in the 1986 film Aliens. In that movie a fearless but fairly naive group of marines are devoured by ravenous alien creatures. The aliens have acid for blood, so most attempts to kill them result in damage from the spraying acid.
For us, the endless series of vulnerabilities we discover in our systems come at us like waves of aliens. We are trained and armed to deal with them, but each response to a vulnerability causes collateral damage. Systems become a little less stable, our administrative teams grow less willing to follow our requests, and my team takes a step closer to burnout. Other than doing what a character in Aliens suggests, "nuke the entire site from orbit -- it's the only way to be sure," what can we do?
First we try to get a grasp on what vulnerabilities are coming over the horizon. The sooner we know, the better we can prepare and distinguish the truly frightening vulnerabilities from the minor issues.
Keeping Score
We get information from hundreds of sources, including the Department of Homeland Security, commercial subscription services, other companies in our industry and even vendors, which often provide the initial warnings about weaknesses in their products.
Sadly, there's no generally accepted and followed taxonomy or criticality measure for each weakness found. So we have staff that manually assesses the vulnerability information we receive from these sources, and we map it into our own priority levels, on a scale from 0 to 10 (most critical).
We used to just make sure that we addressed the high-priority vulnerabilities, but SQL Slammer changed that. We initially ranked it low, and because of that, we never got around to fixing it before the worm hit, even though we had a fairly
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
