Once over the surprise that a general computing association, as opposed to one only focused on security, was so prescient in this space, I realized that these general rules, had they been applied when first espoused, would have very much limited the problem that we have today with ubiquitous data and inadequate controls. Note especially the first two items. They are suggesting building the dam closer to the source of the data river. All the rules, save perhaps the third, are about how to avoid much of the problem rather than the prevention of data leaking from a river that is already bursting its banks.
Once you begin to think about the root causes of today’s security problems, rather than merely how to treat the symptoms, one arrives at a whole new level of understanding. Thus, when reviewing a chapter that AT&T’s CISO, Ed Amoroso, has written for an upcoming book (Enterprise Information Security and Privacy, Artech House, March 2009), which I co-edited with Jennifer Bayuk and Dan Schutzer, I was struck by Ed’s explanation as to why botnets are proliferating so wildly. Most security folks will tell you that it is due to malware creators getting smarter or the inadequate protection most users put on their PCs and their lack of willingness to keep the protection tools current. But Ed put it another way. He said that a major part of the problem stemmed from the amount of pirated software that is out there. Individuals running pirated software are not on the lists of registered users who receive automated updates or notifications. Hence, all these machines operating with stolen software are more vulnerable as their protection is out of date and more readily used as zombies for botnets.