fred avolio's musings

In February, Dark Reading published, The Myth of Conventional Wisdom. I posted a comment. A rebuttal really. It is no longer on the website. (No comments or discussions are for the article.) I think the discussion—what Tim wrote and my opinions—might be useful to present here. So, read his piece (let me know if the link no longer works; I saved a copy). And then read what I suggest, below.

I believe you’ve misused the term “conventional wisdom.” Conventional wisdom are things that are generally accepted as true by most people, not by experts in the field. I suggest that if you ask experts in the field—and for grins, let’s stick with people who have been in the business for more than 2 years—you will find that none of the things you mention came as surprises. In fact, they could have been, and have been, predicted. But, using the correct definition of conventional wisdom, I agree with your assessment of conventional wisdom in the info security realm. You write, “The problem with IT security is that it’s not a conventional discipline. It changes with the nature of the business and the nature of the threat.” No. Particulars change, but fundamentally there is nothing new in the attack space, and has not been in years. Neither of the examples you give of zero-day attacks (are we really surprised that attackers go for the low-hanging fruit?) and identity fraud surprised experts in the field. The public believes that because loss of 100,000 credit card names and numbers will lead to more people exploiting more cards. The expert knows that you are still more likely to have you card number taken and used by the young waiter who served you last night.

And what network or security expert said that “DNS systems were unassailable”? Steve Bellovin discovered flaws in DNS almost 20 years ago and security extensions to DNS started in the late 90s. But, yes, “conventional wisdom”—which we see is no wisdom at all—would say otherwise.

“IT security ‘wisdom'” is far from “fleeting.” We just continue to forget the past, and believe that everything is new and needing new solutions. “The security pro” who forgets the basics and neglects what has worked before “will surely be the first one attacked tomorrow.”