Came across this article from CERT in the course of my day job; if you think about securing systems at all it’s worth a look, if only for the instant classic photo (worth a 1,000 words, at least!) they have on the page. Check it out when you have a chance; I don’t want to ruin the surprise.
First saw this on Computerworld, but the Verizon 2011 Cyberattack Report is out. One of the big takeaways is that they estimate 97% of the attacks were avoidable without the need for “difficult or expensive countermeasures”. This seems completely plausible to me, especially since the human element is such a large and vulnerable component of an information security strategy, and because it seems that it is often easier for organizations to throw money at a problem and expect it to go away then to spend the time to really analyze the situation and monitor it on a recurring basis. But information security (much like EM) is a process, not a product.
In the EM class I’m taking, we’ve talked about agenda building and policy in relation to emergency management. A natural but unfortunate part of the process is that as the public’s focus turns elsewhere, programs begin to decline. In emergency management, lack of a particular type of incident tends to undermine focus. In difficult economic times, that decay manifests even quicker. Cases in point:
- David Merrick calls attention to declining public health readiness in a recent blog post.
- On his blog, Lucien Canton discusses proposed cuts to the tsunami early warning system, and cuts already made to the U.S. Geologic Survey earthquake detection prgram.
All these points have me thinking about the problem from a different angle, and I hope to discuss it further here in the near future.