Security Basics mailing list archives

Re: Security vs. Simplicity

From: aaa () bbb com
Date: Tue, 19 May 2009 15:20:55 -0600

Can't really argue with Steve's view. Another perspective on it is that "Business Needs" define how much security
(more expensive) is valued over simplicity (cheaper).

Extremism in any form is not realistic. The "simplest" network is "Grannies" Windows 98 PC plugged directly into the
Internet. It's simple, cheap and about as secure as a screen door on a submarine. The most "secure" computer is setup
inside a Faraday cage, inside a vault, not connected to any network. And the power is turned off. It's only use is to
collect dust.

Realistically, businesses have to find the happy medium between those extremes that is appropriate to their situation.
A "mom and pop" store with only 3 or 4 PCs and a cash register on their internal network, connections to vendors for
ordering goods, and Quicken for their accounts may be reasonably satisfied with a router, firewall software and
Anti-malware suites installed on each. It's simple to maintain, cheap enough to be supported on their cash flow, and
basically secure enough to protect them. On the other hand a bank or large retailer with lots of customer, employee,
and vendor personal information, lots of credit card sales, and lots of inventory and cash to lose track of is going to
want a great deal more security and complexity to avoid the negative impacts of breaches. How much security complexity
is "enough" depends on their business needs based in part on estimated costs associated with breaches.

There is no "right" answer. "It depends" on the specific situation.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

RE: Security vs. Simplicity, (continued)
- - RE: Security vs. Simplicity Craig S. Wright (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 19)
  - RE: Security vs. Simplicity David Gillett (May 19)
    - RE: Security vs. Simplicity avi shvartz (May 19)
    - RE: Security vs. Simplicity David Gillett (May 20)
- Re: Security vs. Simplicity Ansgar Wiechers (May 19)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- Re: Security vs. Simplicity aaa (May 19)
  - RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
  - RE: Security vs. Simplicity Jason Hurst (May 22)
  - Re: Security vs. Simplicity Stephen Mullins (May 25)
    - RE: Security vs. Simplicity Craig S. Wright (May 26)
    - Message not available
    - Re: Security vs. Simplicity Daniel Miessler (May 28)

(Thread continues...)