I’m a Zen heretic, and so also is my sense of systems security.
A very cogent citation describes the folly of it all. The people who install toolbars, click on random stuff and feel like they won something when they downloaded the free app are too plentiful, and security is too tough to understand—even PGP.
Bringing up the bottom is as important as extending the top. We don’t ritualize security because that would be too tough, to impolite to do. Your mother did not teach you to use complex passwords and to change them as frequently as your underwear. Given some people I know, it’s a wonder they passed the “p@55w0rd” rubric they were trained to use.
+ Also on Network World: +
So, is all of this highly sophisticated work we do in security worth it when it takes but one bozo with a rooted phone to hammer your best internal security in search of your golden geese?
Yes.
It took a while to write that single word above because nothing is truly foolproof, as fools are so ingenious. But we have a responsibility endowed upon us because we are smarter than most, more shrewd, skeptical, and ready to defend turf, assets and even the dignities of those who are both unwilling and unable to do so.
There is a moment, perhaps an era of enlightenment that arrives, eventually in Zen. It is a sensation that one is above the paradox, able to handle mystery without question, and able navigate life with few to no anxieties, only fruitful energies.
Achieving this goal in Zen is not unlike security’s holy grail. It’s a long discipline of unlearning what you’ve learned and accepting countless paradoxes until the mysteries of the mind are silenced and paradox becomes a gift rather than a frustration. Meditation is the river of Zen, while reading CVEs and checking countless conf files/chains of authority is the energy of security.
There are soothsayers and teachers and monks in both Zen and systems security. There are those who do so martially, and I’ll use Brian Krebs as an example, as he provokes responses that are truly heinous in result. Leonard Cohen was a student of Zen. I watched him do hours of knee-drop performances in his mid-70s whilst singing his baritone brains out. Yes, he was an ordained Zen monk.
Never-ending search for security knowledge
Security people attain knowledge, and there’s a huge amount of knowledge to be acquired because there are cracks. Cracks are where the ne’re-do-well sneak in and steal stuff or create mayhem. The revelations of the Russian influence in the U.S. 2016 Presidential election is an indication of some of the worst mayhem ever created in systems security.
In this modern era, a new generation has started. I have two grandchildren. Do I caution my daughter? Do I teach them about security now or let them become victims in the future? Haven’t we always taught children to be wary of a rough world? When is it too early?
The answer to the question is that my grandson has a tablet. His dad is a CS student with a huge gaming platform, a state-of-the-art ork killer. He’s smart enough to teach the lessons. Teaching my grandson the Zen of security will be easier because there is so little to be unlearned, only learned. There are wise and real people being held hostage by Ransomware Squads.
That the CIA could detect Russian influence in the elections is enlightening. What we do next will also be enlightening.