One of my many pet peeves is how all of us, myself included, are reticent to consider opinions that differ from our own.
In the rush-to-judgment world we live in, we commonly overlook or even avoid thinking about what it might be like to walk a mile in someone else's shoes. When we read or see something we don't understand, instead of taking the opportunity to listen, reflect and praise, we too often criticize, condemn and scorn.
Don't be afraid to change, especially your opinions. You and your organization's security posture will be better for it.
We all can, and should, do better, both in our personal lives and in our business dealings. With that in mind, I wanted to offer a different take on two of the top information security industry storylines from this past month, and shine the spotlight on the lessons to be learned from seeing an issue from a different perspective.
won’t patch four-year-old zero-day in TNS listener
In 2008, security researcher Joxean Koret discovered a flaw in Oracle Corp's database management product, and reported it to the vendor. Fast-forward to last month: Koret released details of a proof-of-concept code for the vulnerability, which affects Oracle database versions 10.2.0.3 to 22.214.171.124, even though Oracle never fully repaired the problem.
It's hard to defend Oracle. An entire U.S. presidential term should be enough time to research, develop and release a fix for just about any software flaw. And as our Editorial Director Mike Mimoso wrote, Oracle has been down this road before.
But it's not that simple. Even if Oracle had released a patch, how many enterprises would have applied it? According to a Sentrigo survey from a few years ago, two-thirds of Oracle DBAs said they don't apply Oracle security patches. Ever. I couldn't find anyone who had more recent data (Sentrigo has since been acquired by McAfee), but I doubt it's changed much. From Oracle's perspective, one can understand why it would focus its efforts on addressing the issue in future releases instead of patching existing ones: If hardly anyone applies them, why rummage through all that old code?
From the enterprise DBA's perspective, any Oracle database patch or upgrade is a daunting challenge. Check out Oracle's Introduction to the Database Upgrade Process. Yikes. It's no wonder that, according to a survey conducted by our colleagues at SearchOracle.com in late 2010, more than half of 450 Oracle users surveyed indicated database upgrades are the No. 1 challenge they face.
The simple truth is the nature of the enterprise database lifecycle demands security teams assume the database is constantly vulnerable. Think of it like the Forrester Zero Trust Model. While part of the answer for ensuring secure Oracle databases is to upgrade to more secure versions when feasible, a better approach is to apply database security management best practices such as database encryption, access control and DAM, not to mention network perimeter security monitoring and DLP.
is doomed by automation, misguided IT security strategy, experts warn
SearchSecurity.com News Director Rob Westervelt stumbled into a hornet's nest at the recent InfoSec World 2012 event. During a panel session, a trio of the industry's smartest experts used a "shock-and-awe"-style presentation to convince attendees to focus less on security and compliance automation, and instead understand and secure the data that really matters to their organizations.
Also this month on SearchSecurity.com
Android security model enables the spread of mobile malware, expert says
HIPAA compliance: How to prepare for the 2012 KPMG audits
Information Security magazine: May 2012
The presentation, and specifically the speakers' "frank and unapologetic tone" riled up more than a few attendees, one of whom indicated that the experts were out of touch with the budgetary and business constraints under which most security teams operate. Executives are responsible for compliance, and like it or not, a sizable portion of enterprise security spending is driven by compliance.
My colleagues and I had an interesting conversation about this one in our most recent Security Squad podcast (starting at 15:40), but it's worth mentioning because the one constant in information security is change. New threats and attack techniques emerge almost daily, and products and processes come and go, but what matters is making the investment in time and effort to not only stay abreast of the latest industry developments, but also put some real thought into how those changes affect what enterprise security teams do on a day-to-day basis. Perhaps it's a harrowing prospect, but enterprise security programs should be reinvented from the ground up every few years.
In closing, remember that opportunities often come disguised as challenges, and wise words are often accompanied by tough love. Don't filter out a good message, even if it isn't delivered as well as it could be, and don't be afraid to change, especially your opinions. You and your organization's security posture will be better for it.
This was first published in May 2012