Re: Commentary: The Threat Of Microsofts .Net

[InfoSec News <isn () c4i org>]

Forwarded from: John Ellingson <JohnE37179 () aol com>

In a message dated 10/26/01 5:06:08 AM, isn () c4i org writes:

<< Suppose somebody breaks in. Everyone's personal and financial
information would suddenly be in the hands of the intruders. Or
worse--they could be scattered about in a series of resulting
malfunctions. The extent of the financial, social, and political
disaster that could result is hard to imagine. >>

The real risk isn't someone breaking in. While the focus of this group
is on security and most of us work in the digital world, the greatest
risk is still some form of social engineering. Approximately 80 of all
losses/unauthorized access occurs from inside the firewall. It comes
from people who have previously had access, but it was never turned
off, or someone who is bribed, or has a grudge, or is otherwise
motivated. Those of us in the security business have a duty to look at
system security as a whole. That does not mean just device to device,
it means including all users and it crucially means an assumption that
not everyone will follow the rules.

If I could offer a classic example: We all know that identity fraud is
growing by leaps and bounds. It is doing so because we enable it. We
enable identity fraud through some of the very schemes and technology
we use to provide security. Identity fraud is enabled through the use
of PKI, encryption, digital certificates, over reliance on credit
reports and the dangerously false assumption that one identity must be
attached to one person and that person matches the identity.

We continually design point solutions, each one a link in the security
chain.  We defer to some integrator or our customers to assemble the
chain. But as we all know, no one provides a complete chain or even a
design for the complete chain. Security that is either just a bunch of
unconnected links (weak or strong), or a linked chain that is one link
short of a connection, is no security at all.

We live in a world that has digitized the paradigm of business that
existed in the 50s. In the fifties businesses knew their customers and
would recognize them on the street. Today most business wouldn't
recognize their customers face to face. Yet, we have not changed our
underlying basic assumptions.

We cannot build a truly secure environment out of patches to an
obsolete paradigm.


John Ellingson
CEO
Edentification, Inc.
||||#
||||||
||||||

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.