2008-04-30 08:42 Infosec 3rd day - Anti Cognitive Dissonance
Picture: A dead view with that familiar
NASA earth view.
As opposite of what I thought in my last blog, Cognitive Dissonance is actually ...a psychological state that describes the uncomfortable feeling when a person begins to understand that something the person believes to be true is, in fact, not true. (Wikipedia). What I experienced in Infosec was just the opposite. I thought it ment something where one pays attention only to the observations of the world which are supporting his common beliefs. I thought I had the last one, as I heard some things which could be straight from a Clarified Networks TV-shop commercial, if there were one. Here are some samples.
''I don't want to pay for the whole year''
I heard an argument where customer was saying to vendor that he uses the software only periodically, not throughout the whole year. He didn't want to pay for annual license. Instead, he would like to pay only for the time he is using the software. Sound like Cookie Licensing to me.
"You can't have balanced vulnerability assessments without understanding the traffic flows"
There was this one company called IDSec who had arguments exactly same like us when we talk about ?TrafficAudit. Their approach was just to solve clients problems was just different. We monitor the actual traffic of the system, as that is the most authorative source for seeing how organisation policy is implemented in practice. This approach is also independent of the components used in the target network. IDSec imports configuration files from network devices. Not that bad idea either. In our audits we typically use the existing configuration to gain more insight on the client's security policies.
P.S. Now I've advertised our competitor and admitted that we are not perfect on our blog. Why? I'll answer at some of my next blogs.
-- jani 2008-04-30 09:45:51