AusCERT: "Security Isn't Secure"
9 April 14: Steve will make a "lively and timely" presentation to the annual AusCERT conference.AusCERT Security Conference 12-16 May 2014, Gold Coast.
Security isn't secure
The recent tragic experience of data breaches -- at Target, Snapchat, Adobe Systems and RSA to name a very few -- shows that orthodox information security is simply not up to the task of securing valuable digital assets. We have to face facts: no amount of today's conventional security is ever going to protect assets worth billions of dollars.
Our approach to InfoSec is based on old management process standards (which can be traced back to ISO 9000) and a ponderous technology neutrality that overly emphasises people and processes. The things we call "Information Security Management Systems" are not systems that any engineer would recognise but instead are flabby sets of documents and audit procedures. Audit has become a sick joke.
The deep problem is that computer systems have become so very complex and so very fragile that they are not manageable by traditional means. Security needs to be re-thought from the ground up.
If we can't protect credit card numbers today, we need do things differently, standing as we are on the brink of the Internet of Things.