Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: Jason Muskat <Jason () TechDude Ca>
Date: Fri, 19 May 2006 21:17:36 -0400
Hello, That is a great example! A secure system is rendered insecure because of only one omission. Even with the best policies, and security technology one mistake resulted in a security system failure (an exposure). Most exposures result from only one omission. Just one, and only one. This maybe a setting in a config file, a broken process, or a procedure that isn't followed correctly (think aircraft part assembly). Security must do a better job in lowing exposures as apposed to lowering risk (current practices). ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Saqib Ali <docbook.xml () gmail com> Date: Wed, 17 May 2006 06:25:10 -0700 To: Jason Muskat <Jason () techdude ca> Cc: Bob Radvanovsky <rsradvan () unixworks net>, "Sadler, Connie" <Connie_Sadler () brown edu>, <email () securityabsurdity com>, <security-basics () securityfocus com> Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."Security has to be correct 100% of the time. One omission can lead to anI don't disagree with you. However aboslute security requires absolute non-existence of the information. For e.g. You can have IPS, IDS, DRM, TPM, AV, Firewall etc on your netowork, but as soon as somebody prints out that confidential document and tosses it in a garbage can, you security goes with it. Another e.g.: Everyone knows that one-time pad provides the "perfect secrecy". But then how did the British intercept the Soviet communications???? Soviet re-used the OTP, which allowed for statistical analysis and/or pattern matching. Re-using seemed pretty harmless at that time, but in retrospect it was a big mistake. Isn't everything in retrospect a mistake? Security has 3 core priciples Confidentiality(non-disclosure), Integrity, Availability(non-destruction). In in way Confidentiality is inversely propotional to Availability (i think). By making something available you are increasing the chances of its disclosure. So in theory 100% security is not possible. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Current thread:
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 12)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 17)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 17)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Stephen John Smoogen (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 23)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Angela and Donald (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 17)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 23)