A dangerous cyber security disconnect

I'm starting to think there's a complete disconnect in the security industry between what vendors are trying to sell and what's best for organisations to concentrate on.

For me, the penny dropped during the recent Security 2012 event in Sydney.

One the one hand, the trade show floor was packed with surveillance gear, especially the latest in video cameras and the massive data storage systems needed to store all their high-definition footage should it ever be needed.

"Having done the #security2012 hall I realise that security in 2012 is that everything is a threat and you should record it all in 1080p," tweeted Gavin Costello, a security product manager. 

Costello is right. The range of video surveillance products now available ensures that nothing need be left unrecorded.

Cameras for indoors and outdoors. Infrared cameras for use in the dark. Trailer-mounted camera masts that can be set up wherever surveillance might be needed at short notice. Even sub-$200 webcam-style cameras so you can turn your own home into a panopticon.

It's the same mindset behind the rhetoric that says information security is a big data problem and, as RSA executive chairman Art Coviello put it earlier this year, we're only held back by slow-moving governments and their pesky privacy laws.

It's the mindset that leads the intelligence and law enforcement agencies to seek ever more data to analyse. It's precisely what drives the data retention proposals in the current parliamentary review of Australia's national security laws.

If only we can collect that one missing piece of information then everything would make sense.

(In a similar way Mark Zuckerberg seems to believe, at a personal level, that if only he had that one last piece of data about another person then he'd understand them. Hence Facebook.)

But on the other hand, the message delivered upstairs in Security 2012's conference stream was rather different.

Security isn't about mindlessly gathering ever more data, but developing a better understanding of the data you do have, gained through better sharing of information and knowledge with your allies.

Even Attorney-General Nicola Roxon stressed this in her otherwise routine keynote.

"The 9/11 Commission identified that if information had been shared more effectively, the ability of the US intelligence systems to either prevent or mitigate the effects of the terrorist attacks would have been improved," Roxon said.

"We now see the mantra of managing information has moved from a basis of 'need to know' more to the basis of 'need to share'."

Security certainly isn't about technology and standards, but about the ever-present human factor.

"The [ISO] standard for IT, this 27000 series, will not protect you from the type of cybercrime that we're talking about when we talk about state-based espionage or high-level criminal attack," Jason Brown, national security manager for defence contractor Thales Australia.

"It's actually the culture of the organisation, the capacity for [staff] to say 'There's something wrong with this message' or 'I've got a problem with my system' and do it really quickly," he said.

"Every employee needs to be thinking about security the same way they think about brushing their teeth each morning," Brown said.

Even the advice from Australia's Defence Signals Directorate that just four simple strategies can prevent 85 percent of attacks -- advice based on their award-winning research -- requires nothing new to be bought.

Patch your applications. Patch your operating systems. Limit admin-level access to those who truly need it. Set up application whitelisting, so only approved software is allowed to run.

None of that is something that vendors can sell.