Security Basics mailing list archives
So what? <was: RE: Security and the Under 30 User>
From: zenmasterbob123 () gmail com
Date: 12 Feb 2008 19:57:56 -0000
When Simphiwe Mngadi said, "There is a very thin line between security and paranoia. You say that facebook is insecure, SO WHAT?", I was caught off guard. This is, after, all, a forum for people that care about security, whether to enhance it or subvert it. But the more I think about it, the more I realise this is a valid question. The OP was concerned about the attitude people 30 and under have regarding security. They see compromise of their network/system/device as inevitible. Sort of like a lot of people are with kids and booze or sex. It's gonna happen anyway, so I am better off spending my time and energy preparing to minimize the damage instead of wasting my efforts on trying to stop it. If it were their home networks/systems/devices, then I would agree. Do what you want. Engage in whatever risky behaviour you like, as long as you don't whine to me about the consequences of your actions. If you change your mind and decide you want to follow another path, I will be glad to give whatever help and information I can. But the OP was talking about business users, not home users. These people are risking something that doesn't belong to them, rather like if I borowed your car and started drinking while driving. I am at risk, but the risk is not mine alone, because you stand to lose a lot as well. Simphiwe Mngadi went on to say "The level of security is influenced by human behaviour, unless we 'security-focused community' soon realise that, we might as well look for something else to do." True enough. User education has always been the best value for the money, and the insider has always caused more trouble than the outsider. And in the current environment, people are obviously willing to trade a lot of things for their own personal enjoyment. If a guy will say "I can't work here if I can't IM my friends", then he would seem to be willing to trade some rewards (pay, benefits, or something like that) for personal enjoyment (IM, Ebay, or others). And there are often organizations that would be willing to trade a little of their security to keep some qualified accountants, HR people, and admin staff happy. So this brings up some new questions: Where is the practical place to draw the line? Are my system and network assets more valuable than my people? Are the people more valuable than the data? If I offer to trade the staff unlimited Internet access for a 5% pay cut, as long as productivity doesn't drop, which of us is getting the better end of the deal? Don't get me wrong. Security is my personal priority. But is there a trade-off point where making the staff happy is worth the potential risks? And if you could mitigate the risks in other ways, like putting in a third layer to your network so public machines are in a DMZ, some staff are in an "outer layer", and some assets are very tightly protected, would you consider doing something like that on your corporate network if it were your company? ZMB
Current thread:
- So what? <was: RE: Security and the Under 30 User> zenmasterbob123 (Feb 12)