Security Basics mailing list archives
RE: Security vs. Simplicity
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Fri, 22 May 2009 07:56:04 +1000
More effective (and hence better) security does not always = more money and cost. Simple is often NOT less expensive in the manner touted. You have to weigh the upfront and ongoing costs. NPV (net present value) calculations based on probabilistic rates of occurrence help here. Grannies Win 98 host is far from simple. ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of aaa () bbb com Sent: Wednesday, 20 May 2009 7:21 AM To: security-basics () securityfocus com Subject: Re: Security vs. Simplicity Can't really argue with Steve's view. Another perspective on it is that "Business Needs" define how much security (more expensive) is valued over simplicity (cheaper). Extremism in any form is not realistic. The "simplest" network is "Grannies" Windows 98 PC plugged directly into the Internet. It's simple, cheap and about as secure as a screen door on a submarine. The most "secure" computer is setup inside a Faraday cage, inside a vault, not connected to any network. And the power is turned off. It's only use is to collect dust. Realistically, businesses have to find the happy medium between those extremes that is appropriate to their situation. A "mom and pop" store with only 3 or 4 PCs and a cash register on their internal network, connections to vendors for ordering goods, and Quicken for their accounts may be reasonably satisfied with a router, firewall software and Anti-malware suites installed on each. It's simple to maintain, cheap enough to be supported on their cash flow, and basically secure enough to protect them. On the other hand a bank or large retailer with lots of customer, employee, and vendor personal information, lots of credit card sales, and lots of inventory and cash to lose track of is going to want a great deal more security and complexity to avoid the negative impacts of breaches. How much security complexity is "enough" depends on their business needs based in part on estimated costs associated with breaches. There is no "right" answer. "It depends" on the specific situation. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Security vs. Simplicity, (continued)
- Re: Security vs. Simplicity Stephen Mullins (May 19)
- RE: Security vs. Simplicity David Gillett (May 19)
- RE: Security vs. Simplicity avi shvartz (May 19)
- RE: Security vs. Simplicity David Gillett (May 20)
- RE: Security vs. Simplicity David Gillett (May 19)
- Re: Security vs. Simplicity Stephen Mullins (May 19)
- Re: Security vs. Simplicity Ansgar Wiechers (May 19)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- Re: Security vs. Simplicity aaa (May 19)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
- RE: Security vs. Simplicity Jason Hurst (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 25)
- RE: Security vs. Simplicity Craig S. Wright (May 26)
- Message not available
- Re: Security vs. Simplicity Daniel Miessler (May 28)
- Message not available
- Message not available
- Re: Security vs. Simplicity Aarón Mizrachi (May 28)