Monday, September 26, 2005

Preoccupied with firewalls

Firewalls a dangerous distraction says expert

I don't know who Abe Singer is but he makes a great point that I have been touting for years. Look at your infosec program and count how many people you have dealing directly with firewalls. Now, count how many people you have dealing with application security audits, standards, reviews, etc. More than likely, you only need one hand to count the latter. That is why there is such a problem with insecure applications on the Internet. It starts with misunderstanding your threat model and continues with inadequate staffing and misplaced priorities


A preoccupation with firewalls is diverting attention and resources away
from the more important issue of locking systems down, according to an
expert.

Computer security researcher at the San Diego Supercomputing Center
(SDSC), Abe Singer said companies can spend 90 percent of their security
efforts on firewalls and not much of anything else. "I'm not saying
firewalls are completely irrelevant, but how much effort do you spend on
security?" Singer asked. "Do security at the host, not just the
perimeter. You should be worried about what users are doing, because if
an attacker is going through the perimeter [without secure hosts] then
it's game over."


1 comment: