Re: Castles and Security (fwd)

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from John McDermott, sie wrote:
> Darren Reed wrote:
> > Why just networks and castles ?
> >
> > What this really boils down to is that your logical security mechanisms
> > (network, etc) need to be at least as strong as the physical measures you
> > put in place (megnetic locks on doors, etc).  If only the President of
> > Acme Inc. can get into his office then only the President of Acme Inc.
> > should be able to use the computer on his desk, etc, regardless of whether
> > or not it is networked.
>
> Unless the Prez installed, say, VNC on his computer so he could work
> from home and neglected to specify a password...

I think you've totally missed the point I was making.

Unless you're saying that the security of his workstation, at work, is
now equivalent to the physical security of his house/office (actually,
whichever has the lower level of security).  In which case, mentioning
the lack of password is irrelevant.

I'm not so much concerned with the implementation difficulties of specific
scenarios such as the one you've painted but getting people to think about
the problem in a meaningful manner.  Heck, even if there is a password set
you then have to worry about encryption to home, buffer overflows in their
implementation of the protocol(s), etc.

Worrying about a password is not so important as is it appropriate for them
(or anyone) to view company confidential documents wherever they may be ?
I can't imagine anyone from the military would take kindly to seeing someone
on a plane reading a classified document (well that belonged to their side
anyway :)) so nor should he be able to read C-I-C documents from insecure
locations.  The problem of passwords is peripheral to the real problems
and is a "bad software" problem (heck, we shouldn't need passwords anyway,
computers should just *know* via other means).

Other details such as whether or not such a person should be installing
software, does it fall within the security policy, etc, are also relevant
but peripheral to the point I was making:

people will follow the path of least resistance to get in, regardless of
whether that is through the front door or over the WAN.  If all paths have
the same amount of "resistance" then you should be able to feel comfortable
with your security.  If you have a security dude watching everyone come in
your front door, you should have a security dude watching everyone come in
over the internet.  It might also mean that any access to the president's
computer needs to be ok'd with the secretary (or equivalent thereof) or at
home, you'd need to get their spouse's ok.  That sort of thing is what I
mean.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards