The Diet Pill Security Model

The information security industry, lacking social inhibitions, generally rolls its eyes at anything remotely hinting to be a “silver bullet” for security. Despite that obvious hint, marketing teams remain undeterred at labeling their companies upcoming widget as the savior to the next security threat (or the last one – depending on what’s in the news today).

I’ve joked in the past that the very concept of a silver bullet is patently wrong – as if silver would make a difference. No, the silver bullet must in fact be water. After all, chucking a bucket of water on a compromised server is guaranteed to stop the attacker dead in their tracks.

Bad jokes aside, the fundamental problem with InfoSec has less to do with the technology being proposed or deployed to prevent this or that class of threat, and more to do with the lack of buyers willing to change their broken security practices and compliment their new technology investment.

Too many security buyers are effectively looking for the diet pill solution. Rather than adjusting internal processes and dropping bad practices, there is eternal hope that the magical security solution will fix all ills and the business can continue to binge on deep-fried Mars bars and New York Cheesecakes.

As they say, “hope springs eternal”.

Just as a medical doctor’s first-line advice is to exercise more and eat healthily, our corresponding security advice is harden your systems and keep up to date with patching.

Expecting the next diet pill solution to cure all your security ills is ludicrous. Get the basics done right, and get them right all the time first, and expand from there.

— Gunter

*** This is a Security Bloggers Network syndicated blog from Technicalinfo.net Blog authored by Gunter Ollmann. Read the original post at: http://technicalinfodotnet.blogspot.com/2018/10/the-diet-pill-security-model.html