Friday, April 08, 2005

Where in the World is Winn Schwartau?

If you've been around the information security block a few times, you're bound to remember Winn Schwartau. I finally got a chance to meet Winn at the GFIRST conference earlier this week. He was kind enough to pass me copies of a few of his books, like Time-Based Security. In the book, Winn tries to steer readers away from their "fortress mentality" and towards a model of security centered on attack duration.

I like the idea of rating a security system by the amount of time it takes an intruder to compromise it. That system is used to rate safes, as defined by Underwriters' Laboratories, Inc. (and explained here, here, here, and here). A time-based model acknowledges that any system can be compromised, as long as an intruder is willing to dedicate the resources to the project. It is easy to know how long it takes a script kiddie to compromise a target with an unpatched, public vulnerability for which there is a reliable exploit. It is more difficult to know how long it takes a professional intruder to compromise a target with no known vulnerabilities. Still, estimates can be made, and those estimates can help direct monitoring and access control defense-in-depth strategies.

Winn is now running The Security Awareness Company, which provides (wait for it) Security Awarness materials and training. His team also operates the Security Awareness Blog. I saw some of his company's products, which included posters for Florida-based financial giant Raymond James. Keep Winn in mind if you're trying to make your company's users security-conscious.

Update: Here are a few links to discussions of time-based security.

5 comments:

Anonymous said...

Isn't there also a point at which the time required and resources to be dedicated make intrusion an unproductive venture? Once systems have been protected to the point where they become unattractive targets, and lesser-protected systems are infinitely more accessible, are they less likely to be selected as targets? What is the old joke, "I don't have to outrun the bear..."?

DeRad said...

I know Winn. He's a crazy man. That's why I write security awareness courses for his new online school

Richard T Kusiolek said...
This comment has been removed by a blog administrator.
Varun said...

http://securityawareness.blogspot.com/ does not have any posts and the author seems to be somebody called Tony Bradley. Either the blog just got owned or you linked to the wrong blog :-)

Richard Bejtlich said...

Varun,

Well, my post was three years old. I guess the blog is gone now.