Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Un
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Wed, 17 May 2006 21:07:50 -0500
Why do you "parrot" the exact same thing that has been told --repeatedly -- over the past 15 years? They have you brainwashed! How many principles do you think there really are (and not just the ones that ISC(2) *tells* you that there should be)? What do you think makes up the components of a good security model? What defines the best practices, and how should it be enabled? Are 3 overly simplified principles the only key? I disagree. Security is not about "absolutes", but about "resolutes". It is (most of the time) "hit or miss", sometimes hitting dead nuts on target, other times, completely missing the target entirely. There will *never* be "absolute security", because of the random, human factors that are involved, no matter how much business and government attempt to accurately predict human behavior. To me, "confidentiality" is based on how well you can keep a secret. This (again, to me), is dependent upon the "integrity" of the data, as well as it's "availability". If it's not available, you have nothing to control the secret. If the data has been tampered, you (again) have nothing to keep secret. The levels of confidentiality are dependent upon those 2 principles (using your ISC(2) security model). Expanding on the security model, to me, "intelligence" carries a fair share amount of weight, as does "information" itself. The reason for mentioning "information" is that if it's useless "information", why bother protecting it? Henceforth, why the U.S. government has both intelligence and information assurance offices. The IA offices determine if the information is useful. The intelligence offices determine how it should be determined (I know that sounds circular, but hey, welcome to the redundant world of redundant systems of a redundant world...confused yet?) If businesses and government (alike) didn't agree with that statement, then we wouldn't have those 2 kinds of organizations throughout the world; therefore, the security model is inclusive to these 2 additional elements. My quote for 2006: "The best security is no security that's needed." Think about it... ;)) -rad ----- Original Message ----- From: Saqib Ali [mailto:docbook.xml () gmail com] To: Jason Muskat [mailto:Jason () techdude ca] Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net], "Sadler, Connie" [mailto:Connie_Sadler () brown edu], email () securityabsurdity com, security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Security has to be correct 100% of the time. One omission can lead to anI don't disagree with you. However aboslute security requires absolute non-existence of the information. For e.g. You can have IPS, IDS, DRM, TPM, AV, Firewall etc on your netowork, but as soon as somebody prints out that confidential document and tosses it in a garbage can, you security goes with it. Another e.g.: Everyone knows that one-time pad provides the "perfect secrecy". But then how did the British intercept the Soviet communications???? Soviet re-used the OTP, which allowed for statistical analysis and/or pattern matching. Re-using seemed pretty harmless at that time, but in retrospect it was a big mistake. Isn't everything in retrospect a mistake? Security has 3 core priciples Confidentiality(non-disclosure), Integrity, Availability(non-destruction). In in way Confidentiality is inversely propotional to Availability (i think). By making something available you are increasing the chances of its disclosure. So in theory 100% security is not possible. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Current thread:
- Re: Article: "Security Absurdity: The Complete, Un Bob Radvanovsky (May 20)