So what? I didn't invent the term. 
That's what it means though.
I'm looking at it from the practical standpoint, theory does not interest me. And all my experience shows that if some business process is cluncky and not efficient, people will look for ways to circumvent it regardless of consequences for such circumvention. And they will find it eventually - security purists won't like it, but when the choice is between getting task done to generates a cashflow versus theoretical beliefs of security purists, the former will win most of the time - if not always.
I agree. This whole IT security shitshow got out of control.
I know several people that do serious IT stuff and they tell me that main reason for downtime recently is either huge workload around mandatory patching of non-existent (like patch applies to component they are not using) or highly theoretical, 0 probable, problems (like patching something that is vulnerable only if you overlap dozens of unlikely scenarios, that are possible to be executed only by system admins, who OTOH already have root access and could just log in to server and do whatever they like anyways), or they have bugs introduced by patches, some "security hardening" makes their systems not working anymore etc...
Basically, they have more downtime incidents because of security process, while never did have any real security incidents...
That is one thing, and I am talking about industries that have real need for real security. Other thing is when nail and hammer manufacturers think they are CIA and apply NIST standards for intelligence agencies.
So hypothetically speaking, let's have a network of the PC workstations. Those PC workstations are considered secure and network is isolated from outside world.
You add a scope to it.
How does that make network less secure? What is the attack vector?
If anything we can say that scope can be attacked by the network, not vice versa.
Basically, scope or not, you still need insider that will physically (physical access to device) compromise any of the given devices on the network to be able to do something. And scope is least mainstream device to do so...
The security industry ( I propose the name #the Big Virus ) is huuuge money and they work on promoting paranoia. For years now their security recommendation scoring frameworks are stupid and have no resemblance to real risk calculations. They take same bug reports and keep reclassifying it over and over and make NEW patches. New patch is binary the same, but is connected to new CVE so you need to apply new patch to satisfy the form. Auditors are lost in all the informations and simply want you to apply all the new patches because they cannot be bothered to actually read all the risk assessments and rule on them. They say" well, we would like you to follow the good practice".....
It is a shitshow... And it is getting worse by the day. Few of the people I know resigned and moved to doing something else.
That is one thing. Other thing is using national security as an excuse to promote monopoly, because competition that actually plays by the market rules is just doing better job. And since in the USA, more and more, they make only weapons and military equipment, or are connected to the companies that do, it is easy enough to enforce that. If you want our business, here are the rules...
Home
Help
Search
Login
Register
