Tuesday, May 28, 2013

Cyber security: the enemy isn't at the gates

They're inside the gates:
"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem," Brocade Communications chairman David House said at a future-forcasting panel during the Ethernet Innovation Summit this week in Mountain View, California. "Our biggest problem is cyber security."

...

The way that we've architected our networks has exacerbated the privacy problem, House argues. "We've been spending the last 40 years abstracting up from the piece of wire to higher and higher levels," he said, "and virtualizatIon and software-defined networks are just another layer of abstraction that we're putting into the environment."

All that abstraction is providing more and more ways for hackers to break into networks. "Every one of these layers is a tunnel that people can go through to access things that they shouldn't have access to," he warned.

At another Summit session, a gaggle of security execs expressed equally pessimistic concerns. For example, Alan Kessler, CEO of data-security company Vormetric, has given up on traditional security measures. "Building a fortress around you network no longer works," he said. "The bad guys are already inside. They already have access to your network – in fact, you may have hired them."

Kessler also is of the opinion that the advent of cloud computing has brought with it another threat layer. "Even if you're confident that you're running your data center, you can trust your people, what if your data is in someone else's cloud? How do you know whether the systems administrator who's managing that server is someone you can trust?"
I've been saying this sort of thing for a while, that the game seems to be pretty much over and the interesting question isn't whether the infrastructure is vulnerable but rather how much of the infrastructure is already pwn3d.

I think that this is an opportunity for people looking for higher paying jobs.  Pick up one of the Cisco CCNA study guides and go through it.  Find some Youtube videos on the topics in the guide.  Maybe (maybe) take a Community College class on the subject.  Take and pass the certification.  Because this is the pull quote from the article I linked above:
But no security scheme will work unless a company has well-trained network-security techs on its payroll – and there aren't that many of them to go around.
It may be a bit perverse to simultaneously say that the battle is lost and that you can make good coin by enlisting the the CyberCommand, but that's what it looks like.  Nobody cares what your degree is if you have CCNA/CCIE/CISSP certifications.

Higher Education Bubble, indeed.

Bootnote: Not everyone agrees, at least the Cisco stuff.  Don't think he'd disagree with me on CISSP, though.

2 comments:

Dave H said...

It may be a bit perverse to simultaneously say that the battle is lost and that you can make good coin by enlisting the the CyberCommand, but that's what it looks like.

Reminds me of a saying I heard years ago: "If you're not part of the solution, there's money to be made by prolonging the problem."

This might not be a bad second career. I only need something to keep me busy for another 15 years or so.

ASM826 said...

I got the degree. Spent 8 years going taking 2 classes a semester.

All anyone cares about are the certifications, RedHat, Cisco, A+, etc.

And I don't care how good you are individually, the security issues are systemic. The security software/hardware, monitoring, the structure, and the training, all of it has a cost and organizationally you have to work to explain and justify those costs to managers that do not understand how an email goes from their home account to their work account.

Of course it's pwned.