ask the client to draw up their security architecture on the whiteboard. This inevitably contains a firewall as one of the central pieces. Next, I ask them what is "behind" the firewall, describe the assets, their valuable to the business and so on. Then, I say "now imagine the firewall is not there. What would your security architecture look like? What would protect your assets, your data, your users, your apps?" Then I list off a series of attacks that take no notice of the firewall's presence because they were designed to circumvent it from the get go. From an attacker's point of view a firewall is a speed bump, not an immoveable object. Its simply a question of looking at it from a different point of view. Typically, at this point the blood drains from my colleagues' faces.
I call this the Michael Jordan/Garry Kasparov situation.
Question: how can you beat Michael Jordan & Garry Kasparov?
Answer: Get Jordan to play any game except basketball and Kasparov to play any game but chess.
No comments:
Post a Comment