Although I've just skimmed it -- it certainly looks like a decent precis of the major items of Internet security interest, well- presented and readable. I'll try to get 'round to reading it through over the holiday weekend. But skipping to the Key Recommendations, I have to sit up and go "well, duh." There is NOTHING new in those recommendations -- indeed, we in the Internet security world have been saying this same stuff for at least 10 to 20 years. (which leads me to a whole 'nother rant about what passes as "acceptable" Internet security if we're still saying the same stuff and thinking the same way, but that's for another post sometime.) To that end, noticebly absent are the items that would require fundamentally changing how we design, view, and build 'secure' or 'resilient' networks.....the cynic in me believes that folks don't want to really have truly secure systmes/networks/services, just ones that are 'good enough'. IMHO the Internet security status quo, flawed as it is, creates economic opportunity for consultants, products, and services to deploy upon both the flawed network foundations and administered by similarly-flawed principles, practices, and failure tolerances, thus creating the self-licking icecream cone. Effective Internet security requires a technological and cultural paradigm shift at the most fundamental level -- but there are too many forces/considerations working against us for it to become a reality, to include plain old human complacency. To wit: here in DC I have been involved in several senior-level working groups on Internet security over the years. Almost all the recommendations, threats, vulnerabilities, and risks described in those reports/panels/papers/events/speeches on cybersecurity are the same from year to year, commission to commission, and report to report. So clearly the status quo is acceptable I wonder if the 2009 and 2010 Annual Reports from Cisco, Microsoft, Symantec, VENDOR$, or AGENCY$ will say anything significantly different -- my guess is no. On a side note, as someone working in the Internet security industry, I always take such "register to download our report" type of documents from vendors (like this one) with a grain of salt -- since it's clearly done to collect marketing information. :) That said, it looks to be an interesting read, and perhaps I'll be pleasantly surprised! -Rick On Jan 16, 2009, at 06:44 , Alaa Al-Din Al-Radhi wrote:
Dear Colleagues
A very good resource to read
http://cisco.com/en/US/prod/vpndevc/annual_security_report.html
Alaa
__________________________________________________________________ Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/