Will We Ever Get Close to 100% Security? – On Location at RSA Conference 2011

Taher Elgamal, CSO, Axway

“We kind of know where the vaccines are going to come from. The mistake that people in information security get into is the perfect solution, a hundred percent ‘something.’ And a hundred percent does not work.”

Is the Future Filled with Data Breaches? – On Location at RSA Conference 2011

Taher Elgamal, CSO, Axway

“We will see a lot of these in our lifetimes, is the reality of it… Most people do not know how to manage information or access to it.”

Executive Decision: A commentary on Information Week’s “Federal IT Execs, Staff Disagree On Cybersecurity”

Taher Elgamal, Chief of Security, Axway

Taher Elgamal comments on Information Week’s “Federal IT Execs, Staff Disagree On Cybersecurity”

In What Context is Someone Trying to Access the File?

Hari Nair, Program Manager, Axway

Don’t Ignore the “Paranoid” Security Guy, Part 2

by Taher Elgamal
Chief Security Officer
Axway

(To read Part 1, click here.)

This is going to continue to be an arms race for a long time.

I don’t think society will actually change. People in important positions don’t even listen to financial experts, let alone IT security experts. And I’m willing to bet money that there is another financial problem that somebody has warned us about, and that nobody is paying attention to, because of the cost. People are hesitant to take action with anything that involves cost. I’m not saying you should spend money on a whim. But there are certainly a collection of experts in every single one of these technical fields that can make a judgment call as to how much risk a system is willing to take and when we must draw the line. And right now, we’re drawing the line so far out that a lot of criminals can gain a great deal of unauthorized access, and the level of fraud online carried out today is indicative of this.

The real issue is a fundamental lack of imagination on the part of the decision makers and CEOs. “Why am I going to spend all this money?” the CEO asks. The CEO waits until a regulation comes up. When the government actually speaks up and sticks a regulation to a certain type of company for something, the CEO puts forth the effort to get there. The problem with mere regulation—and this is how the entire system works—is that it doesn’t solve the real problem. It just makes people compliant. It does not make sure that the wrong people don’t gain unauthorized access, it just makes sure that the right people are acting just a little bit more safely. It’s true, I’ll admit, it is a little bit better to be compliant with all these regulations. But it does not address the real issue.

Finally, consider this:

If the concern over cyber issues is now an integral part of business, if it’s no longer a back office thing, if it’s now front and center, in the middle of everything, then cybersecurity people should be involved in the decision-making process, not just dismissed as back-office techies. That implies more training for the cybersecurity people to both be able to evaluate risk and to understand the particular business needs that the enterprise faces. Are you ready for that?

Don’t Ignore the “Paranoid” Security Guy, Part 1

by Taher Elgamal
Chief Security Officer
Axway

Michael Fitzgerald’s excellent piece for CSOOnline.com, “Organized Cybercrime Revealed,” continues to be pointed to on Twitter more than a month after its publication.

And rightly so. It’s a nice article, full of excellent details and compelling information.

But the thing that puzzles me always about an article like this is why it discusses, as news, something that is completely expected. If you put money in front of a criminal, what do you think they’re going to do with it? We’ve continued to blame criminals for criminal acts, which makes no sense: it’s what they do! When society provides opportunities for criminals to act like criminals, it’s society who is truly at fault.

If you would’ve asked anyone in the security/technical community—any reasonable CSO—at any time in the last fifteen years, “How will the profile of a hacker shift in the future?”, they would’ve told you that the smart hacker who wants to be famous by writing cute little viruses will be replaced by an actual criminal committing an actual crime, because things online aren’t secured very well. Sure, we have some controls and technologies deployed, but there has not been enough support to deploy even simple authentication technologies, and the absence of these technologies gives modern hackers gumption. The entire Web runs on passwords, and these passwords are very easy to guess. And that this is still the paradigm reflects a fundamental ignorance on the part of business people and governments. People who implement systems and run corporations—they don’t want to listen to security guys because security guys are, in their opinion, flat-out paranoid. Why would you want to listen to a paranoid guy tell you that there is a possibility that at some point in the future something bad will happen? But despite the fact that so many bad things are happening, and this “just ignore the paranoid security guy” attitude led to these bad things, we still think this way.

In the second part of this blog entry, I’ll speculate on where this is all going.

  • Calendar

    • July 2017
      M T W T F S S
      « Feb    
       12
      3456789
      10111213141516
      17181920212223
      24252627282930
      31  
  • Search