A different approach to Information Security

I was reading through this article by Marcus Ranum and was startled by the approach the author took. But as I read on I realised that most of the ideas and concepts make sense. Fighting against cyber crime is like fighting against the mythological Hydra where as soon as you cut one head a new ones appear from there. So how do we fight against such a monster? I concur with the author here; we don't fight it. We don't let it in the first place. See, the malware is a problem only if you allow it to enter your network or computer.

Let me draw another analogy at this point. In our homes, we don't let anyone we don't know inside for the fear that they might bring harm to us and our family. As long as the unsavoury characters are outside the house, they are not a threat to us. So then why do we let unknown software, emails, get inside our homes (networks and computers). The default should be deny anyone who we don't know. Only if the unknown entity seeking entry to our network can establish its identity should we allow the entity inside.

Marcus makes a very valid point, why do we want to keep a track of ever growing list of unwanted software when all we need is the 30-40 odd software programs? A very basic premise, yet a very powerful one when you think of it.

At this point a very simple question starts bothering me: If his approach is so effective, then why are most if not all organisations using this? I thought about it for a few days and the following are the answers as they occurred to me in the order of probability
1. This one's very simple: Maybe most of organisations don't know about it and are afraid to try something which is unconventional to them.
2. The security vendors: This hit me even as I was reading the article. If all of his recommendations are implemented then probably, just probably the need for an antivirus, security patches won't be there and some of the biggest companies and individuals (yours truly included) will have to close shops and have to look for other means to make a living (well, I am not truly dependent on this for a living, but I do this as a hobby, but still...)
3. The open nature of the Internet: The very idea on which the Internet flourished was the easy accessibility of information, people and resources. Having a default deny policy may thwart the growth of Internet and would defeat the very principle of the Internet on which it has thrived. But then if can socialise freely and still keep our home safe, I have a feeling that this is possible.

These are my thoughts on this. What do you think? If you happen to read this post, then do send me a line about what you think.