Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: Jason Muskat <Jason () TechDude Ca>
Date: Fri, 19 May 2006 22:34:35 -0400
These two emails are a metaphor; ..."Security must do a better job in lowing vulnerabilities as apposed to only mitigating vulnerabilities. This means lowering the cause (vulnerabilities) not only hiding them ( mitigating the increasing numbers of vulnerabilities -- lowering risk). It is not prudent to put ones efforts into only mitigating what WILL happen. This is especially true when vulnerabilities are allowed to increase wildly as they are doing so now. --------- Hello, That is a great example! A secure system is rendered insecure because of only one omission. Even with the best policies, and security technology one mistake resulted in a security system failure (an exposure). Most exposures result from only one omission. Just one, and only one. This maybe a setting in a config file, a broken process, or a procedure that isn't followed correctly (think aircraft part assembly). Security must do a better job in lowing exposures as apposed to lowering risk (current practices). ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Saqib Ali <docbook.xml () gmail com> Date: Wed, 17 May 2006 06:25:10 -0700 To: Jason Muskat <Jason () techdude ca> Cc: Bob Radvanovsky <rsradvan () unixworks net>, "Sadler, Connie" <Connie_Sadler () brown edu>, <email () securityabsurdity com>, <security-basics () securityfocus com> Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."Security has to be correct 100% of the time. One omission can lead to anI don't disagree with you. However aboslute security requires absolute non-existence of the information. For e.g. You can have IPS, IDS, DRM, TPM, AV, Firewall etc on your netowork, but as soon as somebody prints out that confidential document and tosses it in a garbage can, you security goes with it. Another e.g.: Everyone knows that one-time pad provides the "perfect secrecy". But then how did the British intercept the Soviet communications???? Soviet re-used the OTP, which allowed for statistical analysis and/or pattern matching. Re-using seemed pretty harmless at that time, but in retrospect it was a big mistake. Isn't everything in retrospect a mistake? Security has 3 core priciples Confidentiality(non-disclosure), Integrity, Availability(non-destruction). In in way Confidentiality is inversely propotional to Availability (i think). By making something available you are increasing the chances of its disclosure. So in theory 100% security is not possible. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Current thread:
- Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." email (May 10)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Sadler, Connie (May 10)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Robinson, Sonja (May 23)