Personal tools
You are here: Home WiKIDBlog more-on-de-perimeterization

more-on-de-perimeterization

by admin posted on Jan 21, 2009 03:46 PM last modified Apr 03, 2009 11:56 AM —

Having just posted on de-perimeterization, I thought that this quote from Scott Borg of the U.S. Cyber Consequences Unit on th...

Having just posted on de-perimeterization, I thought that this quote from Scott Borg of the U.S. Cyber Consequences Unit on the consequences of breaches:

"We started seeing huge vulnerabilities," Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. "And portions of those systems were extraordinarily secure. But they were Maginot Lines," susceptible to being outflanked.

The problem is that existing best practices are static lists based on outdated data. The new USCCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it, Borg said.

"We are way into diminishing returns on our investments in perimeter defense," he said. "To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what … the consequences [would] be."

I think it means that companies should start shifting their focus from firewalls and IDS/IPS to two-factor authentication and database encryption.

Of course, I looked for a copy of the draft on their website. Let me know if you have better luck.

Document Actions

more-on-de-perimeterization

Posted by nowen at Feb 23, 2009 09:35 AM

Scott:

Thanks for the comment and compliment. It is a very interesting subject. I think deperimeterization
is one of those concepts where once it becomes popular, it will cease to exist independent of its superset. That is, you won't have "security" without "perimeter security" and "de-perimeterized security".

Nick


more-on-de-perimeterization

Posted by Scott Borg at Feb 23, 2009 09:35 AM

Anyone with a professional interest can get more information on our cyber-security check list by e-mailing me directly about it: scott.borg@usccu.us Our check list is still a draft document and we are welcoming comments. The analogy between our current cyber-defenses and the Maginot Line seems too apt to avoid. Some of us who have been saying this for three or four years now might be tempted to claim credit for it, but the truth is that this analogy seems to occur to everyone who really grasps the limitations of our current defense strategy and remembers a little military history. What is startling is what a small portion of those involved in cyber-security have truly thought their way past perimeter defense and past the idea that denial of service is the big problem. I am very pleased at the perceptiveness of the previous postings here on this subject (which I guess means that I wholeheartedly agree with them). - Scott Borg, Director, U.S. Cyber Consequences Unit

PS. - Please note that we are not an office in DHS, but an independent research unit that needs to operate at arm's length from the government to protect sufficiently the information of the corporations and other private enterprises who help us in our research. - SB