|Unbiased security - As It Is - the answer is on the right:
Every year we see news that budgets for information security country wide will increase for billions of dollars (that is after all your money...) ... but hackers are still more successful than the nation's government and businesses.
From one of our clients asking to comment: "I got four credit cards replaced during 2016; Bank of America letter contained fraudulent transactions using virtual card, which I never used and had no idea about such feature until saw the bank letter".
Our comment: Hackers got into your account at bank of America (that was not explained in the letter) basically knowing your user name and password, and security question(s) if such had been used.
Then they were able to create virtual credit card in your account and use it. The question is whether it was only one or millions accounts compromised in such way.
The most common question today is WHY?
|So, we asked ourselves more than ten years ago "Why very simple security task had not been finished 60 days?"
Simply, because the security had been managed by IT, which used IT methods and style ... See details in our old article "General misconceptions about information security lead to insecure world"
Here is what we think about major InfoSec problems:
- InfoSec industry main focus is money not security. The profit is great but mainstream does not invest in new methods, and "security research" now means bug hunting not the research of how to improve nation's security. Quality of product suffers due to shorter development time and savings on cheap H1B labor.
- Insecure information technologies having "technology vulnerability": so named "cloud services", x86 platform virtualization (i.e. 99% of our servers), out-of-band IPMI-based system management, IPv6, etc.
- Utilization of IT management methods in InfoSec including the lack of independent line of security management
- The lack of security in US small businesses; both security related products and consulting cannot be afforded.
- Security legislative disaster caused by lobbing industry interests - there is no universal security law, and nothing like ISO 27000 is mandatory to use across the US; NIST is mandatory for federal government only
- The lack of enforcement of security regulations; typical examples are HIPAA and Massachusetts 201CMR17.00 (other states more likely as well). Even where we could improve, we do not do that ...
- And more ... You can add to the list!
Here we are - the wide spread status of ignorance when federal government does not control anything, even its own area of interest.
Please, review our articles and presentations where we provide details supporting our statements above.