Does any one else get sick of the seemingly same stories regarding network security issues? The news media and industry websites report breaches of one company or another almost in passing now days and I doubt anyone even takes it seriously. The names are changed but other than that the story is already written for the reporters. Copy, paste, search and replace, save, publish. I think the details of the attacks are important for researches to understand, however what ground does it gain with the decision makers and business owners when it all becomes white noise?
Even worse, recently there was a major arrest of an illusive hacker group and the story remained almost hidden from the media that day. I read it on the Fox News website and I watched how the rest of the major news media went silent on reporting the story for some time (CNN, MSNBC, ABC, NBC, Etc.). Even an industry magazine, SC Magazine, was silent on the breaking news.
If we are ever going to experience real change and real progress in fighting network security then new techniques need to be utilized. Otherwise the dance continues on with the same song and partners. The security issue is found, hackers exploit it, systems are patched to plug the hole. Wait 48 hours and repeat the steps.
In America we do the same things with our politicians. We constantly elect the same people from the same group. We say to ourselves “Oh this one is better. She isn’t like the rest.” Or, “If we give this guy four more years it will finally work”. I suspect in other countries this same behavior exists. We have to break this cycle if we want true change. We have to say “Um, no. You blew it. Time to go home. Bye Bye.”
We fire salespeople who don’t meet expectations yet when it comes to real issues we always want to believe this time will be different.
Everything will be different when we change our ways. Instead of patching these devices, let’s just start over. When a vendor’s product is found to have issues get a different one. Forget the words or materials on the product. This or that let you down. You blew it, time for something different. Take action. Forget talk (Hint: Every vendor will give you a discount to switch to them so there are always savings).
But if the issues are caused by poor setup and configuration you need to take a different tactic. Do the same thing with your consultants, analysts, and auditors. Hold people accountable for their actions. You not putting up with mediocrity will change the current tract.
But when something is working and everything is in sync. Stay the course. The waters are always calm when everything is perfect.