March 12, 2012

Measuring the OODA loop of security thinking -- Can you say - firewalls & SSL?

So, you want to know where the leading thinkers are in security today?

Coviello called for the industry to rally together to take the following actions:
-- Change how we think about security. The security industry must stop thinking linearly, "...blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this," Coviello said.

Can you say, firewalls & SSL? It's so long ago that this metaphor was published by Gunnar that I can't even remember. But here's his firewalls & SSL infosec debt clock, starting 1995.

Posted by iang at March 12, 2012 09:17 PM | TrackBack
Comments

Hi:

In what manner are you referencing Boyd's OODA loop? How are you suggesting the OODA concept be applied to security planning and or security design and/or security operations?

Posted by: Purpleslog at March 12, 2012 10:31 PM

Periodic reference is that attackers have significantly better OODA-loop than those responsible for security.

Disclaimer #1: We were called in as consultants to small client/server startup that wanted to do payment transactions on their server, they had also invented this technology called "SSL" they wanted to use, the result is now frequently called "electronic commerce". As part of "electronic commerce" there were various requirements as to the deployment and use of SSL ... which were almost immediately violated. Not long after, I coined the term "comfort certificates" (referring to the SSL domain name digital certificates) in attempt to differentiate between providing the feeling of comfort and *REAL* security.

Disclaimer #2: I use to sponsor Boyd's briefings at IBM

Posted by: Lynn Wheeler at March 14, 2012 03:57 PM

one of the latest in series of articles ... i made some offhand comment about lots of this has been lurking since SSL was first deployed

What's Next For Certificate Technology? The recent rash of breaches among certificate authorities has left a bad taste in enterprises' mouths. What's wrong with the technology, and how is it changing?
http://www.darkreading.com/authentication/167901072/security/client-security/232602762/what-s-next-for-certificate-technology

Posted by: Lynn Wheeler at March 16, 2012 09:04 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.