Where in the World is Winn Schwartau?

If you've been around the information security block a few times, you're bound to remember Winn Schwartau. I finally got a chance to meet Winn at the GFIRST conference earlier this week. He was kind enough to pass me copies of a few of his books, like Time-Based Security. In the book, Winn tries to steer readers away from their "fortress mentality" and towards a model of security centered on attack duration.

I like the idea of rating a security system by the amount of time it takes an intruder to compromise it. That system is used to rate safes, as defined by Underwriters' Laboratories, Inc. (and explained here, here, here, and here). A time-based model acknowledges that any system can be compromised, as long as an intruder is willing to dedicate the resources to the project. It is easy to know how long it takes a script kiddie to compromise a target with an unpatched, public vulnerability for which there is a reliable exploit. It is more difficult to know how long it takes a professional intruder to compromise a target with no known vulnerabilities. Still, estimates can be made, and those estimates can help direct monitoring and access control defense-in-depth strategies.

Winn is now running The Security Awareness Company, which provides (wait for it) Security Awarness materials and training. His team also operates the Security Awareness Blog. I saw some of his company's products, which included posters for Florida-based financial giant Raymond James. Keep Winn in mind if you're trying to make your company's users security-conscious.

Update: Here are a few links to discussions of time-based security.

Comments

Anonymous said…
Isn't there also a point at which the time required and resources to be dedicated make intrusion an unproductive venture? Once systems have been protected to the point where they become unattractive targets, and lesser-protected systems are infinitely more accessible, are they less likely to be selected as targets? What is the old joke, "I don't have to outrun the bear..."?
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
http://securityawareness.blogspot.com/ does not have any posts and the author seems to be somebody called Tony Bradley. Either the blog just got owned or you linked to the wrong blog :-)
Varun,

Well, my post was three years old. I guess the blog is gone now.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics