I'm at the Seattle Tech Security conference today, and all I can tell you about it so far is that, despite quite a number of very excellent tools available, IT security today seems fundamentally broken to me.

Don't get me wrong; I think security is actually pretty decent in most organizations right now, from a historical perspective. There were years when no one even paid lip service to security; today, you aren't likely to find an enterprise without a security team, firewall stance, and a corporate anti-virus strategy. That may be a sad commentary on the environment today, but it's absolutely safer than operations were ten years ago. I guess I don't mean to say that security is terrible, but rather that our approach to it is broken (at least as evidenced by vendor presentations today).

If you have never read it, I recommend you start shaping your thinking around "The Six Dumbest Ideas in Computer Security" by Marcus Ranum. Although it's somewhat off the hip and approaching three years old in a field which changes almost weekly, it's one of the most cogent statements I have ever seen about what is fundamentally wrong with the popular conceptions of IT security. I re-read the monograph this morning before the conference got started, and as I sat through the first presentation, I just went down the list checking off all the "cutting edge" concepts being presented that violated one or more of those rules.

The best thing I heard was in the first half-hour: the recommendation to apply whitelisting to application execution; but it also struck me that this is just an extension of the regular arms race by another name. Because while you can SHA1 hash and whitelist your approved applications today, tomorrow you're going to find unapproved code executing in the guise of a Word script or java/activex code, both of which will easily pass the hashing approval as Word.exe or Iexplore.exe but will be just as outside your control as if either of those executables had themselves been compromised.

After that, it was all downhill*. I didn't hear anything else that wasn't much more than a fear-tinged sales pitch for old concepts and tools revamped and updated with cooler names and new buzzwords.

It is to the vendor's benefit to perpetuate this state of affairs in security, of course; there's no reason I should be hearing anything different, from their perspective. Tools and seminars are lucrative and as long as the threats exist and propagate, there is going to be a broad market for such 'solutions.' One of the upcoming seminars is to do with outsourcing security. I'm a big outsourcing fan, but I can't help but believe that this is another ill-favored trend in the security industry... a fundamental conflict of interest between your business and that of the vendor. Because it will always be in their best interest for you to depend on them, and so it will be against their interests to truly solve your vulnerabilities. Most outsourcing competes against other outsourcers or your internal processes. With security outsourcers, they are facing your fears, and their best interest will be served by masking them for as long as you pay the bills. When you frame it in that light, it's really more a sort of organized Blackmail (except with respect to very specific services) than a real security solution.

I can't say that I have personally come to any epiphanies about better ways to secure your enterprise IT systems, but if pressed I think that I would say a good start would be to consider the challenges from a different aspect than they are typically presented. One of the slides the first presenter put up (a blatant attempt to be scary, as far as I could tell) said in 18 point type: "Can you guarantee that your CEO's laptop is not compromised?"

I think a better question to ask yourself, to get at a real solution to your security issues, would be "Can you find a way not to care if your CEO's laptop is compromised?"

I'm not sure yet what the answer to that is, but it strikes me that it probably revolves heavily around virtualization, centralized control (rather than distribution of) data, heavy encryption, and serious password enforcement or biometric controls.

*The exception was a last-minute replacement by Ironkey, a secure USB drive vendor, which I thought was both cool and useful.