Security Basics mailing list archives
RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: "Robinson, Sonja" <Sonja.Robinson () fticonsulting com>
Date: Mon, 22 May 2006 15:49:13 -0400
I had this debate on a different forum last week. I found the article annoying and misleading in many instances (typos aside). It just rehashed the same things and didn't provide solutions but just blamed me for the ills of society (like I need more). I try to beat my users regularly but they don't care. Hence the REAL problem. I care, they don't. Even our own IT constituents don't really care about security. They just want to program from home and can't understand why we don't up open all servers to them at admin level. People want security for everyone BUT them because they're "special". It would be nice to say NO to VPN (and shut down Marketing), say NO to remote access (and shut me down when my system experiences problems), say NO to unencrypted e-mail (and stop half of my users from working - depending on your solution internally and externally) and say NO to those who don't comply (i.e. I do find firing the CEO and other executives to be hazardous to my health and job prospects). Seriously, you must temper security with functionality and take a risk based approach. Where you have humans, you can/will have security issues - whether through bad programming, ignorance, or a just plain I don't care attitude. A little tongue in cheek mixed with the regular rant and sobs of frustration but we go on and try again the next day. **DISCLAIMER** These are my opinions and not those of my current, past or future employers... Sonja L. Robinson, CISSP, CIFI, CISA, CISM Forensic Lab Manager F T I 646.453.1283 direct Sonja.Robinson () fticonsulting com 3 Times Square, 11th Floor New York, NY 10036 www.fticonsulting.com -----Original Message----- From: Jason Muskat [mailto:Jason () TechDude Ca] Sent: Friday, May 19, 2006 9:59 PM To: Craig Wright; Saqib Ali; Bob Radvanovsky Cc: Sadler, Connie; email () securityabsurdity com; security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Hello, There is a fundamental difference between consumer and say "black top secret' urber military grade security: Consumer: A fire alarm station is pulled; magnetic door locks release so that people can evacuate. "black top secret' urber military: A fire alarm station is pulled; full access restrictions remain in affect. --- Consumer: When power fails door locks release. "black top secret' urber military When power fails door locks cannot be disengaged. --- Similarly, A zero day threat is discovered. It uses a method of transmission that your organization uses as part of its core dealings. If one does anything other then fully block the method until the threat is resolved, the organization cares more about the dealings then security. I agree, "Welcome to life"! However, it is important to rise the bar on this. More needs to be done at the consumer organization level. Security sometimes means limiting if not stopping daily activities. Saying NO to remote access; say NO to VPN; say NO to shared passwords; say NO to unencrypted internal email.... Remove access from people that don't respect it and if this means they can no longer complete their job activities, dismiss them. Treat this as one would somebody with say bad credit, or as such. Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Craig Wright <cwright () bdosyd com au> Date: Thu, 18 May 2006 08:09:45 +1000 To: Jason Muskat <Jason () TechDude Ca>, Saqib Ali <docbook.xml () gmail com>, Bob Radvanovsky <rsradvan () unixworks net> Cc: "Sadler, Connie" <Connie_Sadler () brown edu>, <email () securityabsurdity com>, <security-basics () securityfocus com> Conversation: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Hello, Security can never be correct 100% of the time. This is not true even in high level military establishments. I am not stating that you should not do the best you can given a set of circumstances, but security is based on risk. 100% secure systems for one do not exist nor can they. This is a computationally intractable issue. Users are also an issue. They will not put up with the costs, both fiduciary and to freedom that 100% security requires. Even enforcing MAC (mandatory access control) in an organisation is difficult. The old wire cutter firewall example fails to provide security as an example. CIA - the triumberant foundation of information security requires availability of information. Cutting the cable cuts the legs out of security. Nothing is ever 100% secure. Welcome to life. Regards, Craig -----Original Message----- From: Jason Muskat [mailto:Jason () TechDude Ca] Sent: Wednesday, 17 May 2006 12:14 PM To: Saqib Ali; Bob Radvanovsky Cc: Sadler, Connie; email () securityabsurdity com; security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Hello, Security has to be correct 100% of the time. One omission can lead to an exposure. Count yourself lucky that your vulnerabilities haven't been exposed (that you know of -- Think Ohio State's exposure <http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations cover up (do not report to governmental authorizes) every exposure that occurs. This is the norm. Consider the following; 10 persons information were known to be
stolen.
Everything from address, SSN, account numbers, credit cards, driver lic., health ins. forms, employment data, etc.. It goes unreported. Years later you receive letters for failing to pay your mortgage, credit cards, taxes, car lease, speeding tickets, you didn't show up for sentencing, and have a warrant for your arrest. Things like the above happen. I read how a case of mistaken identity had some fellow jailed for a few months before it was resolved. Imagine how it could have went if the perpetrator had stolen his ID. Once your information is exposed you soon realize that there is nothing you can do to protect yourself, it's too late. For evermore you, not the organization, has to check your credit reports, accounts,
put flags up in your accounts over and over again until you die and all at your, not the organization's, expense. Most organizations don't
even offer help to the people they adversely effected. At the very least an organization should set up a department to help the customers
that have harmed. Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/From: Saqib Ali <docbook.xml () gmail com> Date: Fri, 12 May 2006 21:22:03 -0700 To: Bob Radvanovsky <rsradvan () unixworks net> Cc: Jason Muskat <Jason () techdude ca>, "Sadler, Connie" <Connie_Sadler () brown edu>, <email () securityabsurdity com>, <security-basics () securityfocus com> Subject: Re: Article: "Security Absurdity: The Complete,Unquestionable, AndTotal Failure of Information Security.""Security" is a matter of perception. If the companies don't see itas anissue, it (quite simply) is *not* an issue.That is fine for the company in question. But NOT fine for the customers / other companies interfacing with the company that does not see INsecurity is an issue. I wouldn't wanna have my credit card info stolen from an online merchant, neither would you.One option is that I do not deal with compannies that do take security seriously. But how do I know which companies do NOT take security seriously? Maybe they should put a disclaimer on their
website????
--Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is
confidential.
If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." email (May 10)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Sadler, Connie (May 10)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Robinson, Sonja (May 23)