AW: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

[Christian.Assfalg () bc boehringer-ingelheim com]

I agree.

Security can never be 100%. It is always a compromise between the security level you want to achieve and the effort you 
can or want to spend to improve security.

It is also a compromise between security level and accessability / usability. The more secure something is, the more 
complicated it is to use. Shure, if you had to type 5 passwords, enter 3 one time pads and perform a retina scan, that 
would be very secure. But would this be practical to access an application you have to use constantly and which you 
have to lock EVERY single time you leave your workstation for a minute?

(Which should actually apply to your workstation, if you take security serious. DO you lock your workstation every time 
you go to the toilet, fetch something from the printer three rooms away, get some coffe...? Do your colleagues?)

And can you remember 5 passwords that change every three months? Well I guess I could manage 2, IF I used them 
regularly, that is more than once a day.  I guess I wold have to have them written down for two or three days without 
enumeration. Most users would either end up writing those passwords down permanently, or at least add some kind of 
enumeration to it. There goes your password security.

Security, in my eyes, has two difficulties:
First, to cover ALL areas, to not loose the general picture in silly technical details. Also to have an understanding 
of which areas are covered by you or your department, and which ones are covered by other people.
Second, to create an awarness for security and what it means in every single person that walks arround in your building.

Shure, technical security is an important thing. But technical security is rather easy to accomplish. If you have tight 
security requirements, you will most likely have the biggest problems with user awarness.

It is for example nice to have telnet replaced by ssh. But how long do you need to type "rm -rf /" on an open root 
shell from an unlocked workstation? Or how does this help you in case someone managed to install a hardware keylogger 
to a couple of workstations? Or if there is a web-console without password or with a default password? Or if someone 
sniffs the file where your passwords are stored while it is beeing backuped?

The list is endless, and I think the article does a great job in pointing out issues one would not think about at 
first. I don't think we should panik due to this article or start improving security wherever we can. But for me, it 
created sort of an awareness of how BIG this topic actually is, and how important yet complicated it is to implement.


-----Ursprüngliche Nachricht-----
Von: Saqib Ali [mailto:docbook.xml () gmail com] 
Gesendet: Mittwoch, 17. Mai 2006 15:25
An: Jason Muskat
Cc: Bob Radvanovsky; Sadler, Connie; email () securityabsurdity com; security-basics () securityfocus com
Betreff: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."


> Security has to be correct 100% of the time. One omission can lead to an

I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.

Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?

Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.


-- 
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------