Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

["Stephen John Smoogen" <smooge () gmail com>]

On 5/16/06, Jason Muskat <Jason () techdude ca> wrote:
> Hello,
>
> Security has to be correct 100% of the time. One omission can lead to an
> exposure. Count yourself lucky that your vulnerabilities haven't been
> exposed (that you know of -- Think Ohio State's exposure
> <http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations cover
> up (do not report to governmental authorizes) every exposure that occurs.
> This is the norm.

The only 100% correct all the time system is the one that has been
turned off and buried in a Nickel lined concrete bunker 100 feet from
anything. You are going to be lucky if you see 95% of the time over
say a year that you are not going to see some sort of breach somewhere
on any large system. That doesnt mean you do not try to protect to
your best ability, but you also need to make sure that you are
prepared for what happens when the breach occurs. And that means
beyond "Cover our butt and point our fingers at xyz user, contractor,
etc as the source of the problem"


--
Stephen J Smoogen.
CSIRT/Linux System Administrator