“[Traditional security tools are] failing because they don’t start with the basic assumption that the end users and the networks that they’re connected to are already compromised,” Ira Victor (@ira_victor), host of CyberJungle Radio, in our conversation at the Security BSides conference in Las Vegas.
Victor said network owners should build their information security based on the understanding that there are just two kinds of networks, the ones where the owner knows they’re compromised and how badly, and the owner who doesn’t.
One of the core issues, said Victor, is poor credentialing systems.
“It really doesn’t matter how long and complex the passwords are because in many cases the entire infrastructure for the credentialing is so easy to compromise,” he said.
Security is often a network add-on, not a core component.
“A tractor has the same horsepower as my sports car. My sports car can’t plow a field very well. We’re asking systems to be secure that were never designed for security, they were designed to be open,” said Victor. “We have to start with that fundamental base level and then re-architect what we’re doing so that it is designed from the ground up to be secure rather than added on as layers of security.”