This is the second of the Top Five Reasons Why I Hate Network- and Computer-Security. And I will give some examples.
Example #1: My friend Dave Piscitello points to a NetworkWorld article he wrote, Neglecting identity management. It is part of a series, and he mentions the others in his Blog #550. In it he lists the other “Six Worst Security Mistakes.” And his blog proves my point, as every one of them, including his, could have been a magazine article 5 or 10 years ago.
Now, hear me clearly: Dave’s article is, of course, excellent. My point is not that his or the others are somehow not relevant. My point is that they should be old news, at least when it comes to proving the point. Mechanisms and methods change. The fact that identify mangement is not to be neglected, or that training is important, or that product “bells and whistles” should not be a security selection criteria (in the early 1990s the flashiest not the most secure-able firewall “won”), or that one needs a security architecture (and most companies would benefit from a policy for a plan), does not change my point. We are talking about these things—and writing multi-page magazine articles—like it is all new stuff. We didn’t get it 5 or 10 years ago. We’ll get it now?
I will give another two examples. I pulled some examples out of my presentation folder from two courses I used to give for the Computer Security Institute. I will blog on each and I think you will agree that they are still accurate. They are from 2003 and 2004. The examples were old and relevant then.
Example #2, Top Ten Security Admin Errors.
Example #3, Top Ten Security Threats.
By the way, I talk about the same old stuff in a blog entry from 2004 in Security Redux. It, too, proves my point.