Security Basics mailing list archives

Re: considerations about exploits tricks

From: jfvanmeter () comcast net
Date: Mon, 05 Nov 2007 17:48:03 +0000

That was nicely written Sean, but rarely when one talks about security, we rarely talk about  securing the "user" if I 
can get one user to tell me a password, reset a account, open a email that installs software. All the work that is done 
to secure the perimetter doesn't mean anything. 
If we don't take social engineering into account, hardening the perimeter is just a speed bump. 

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: PCSC Information Services <info () pcsage biz>

Hi opexoc et al,

One thing to be considered when designing your systems for security is  
that 'Security is a process, not a destination' It's been argued that  
the only secure computer is the one that's at the bottom of the ocean  
with no power available. I would hazard that with this in mind, there  
is never the possibility of 'winning' the battle, only consistent  
successful defense of the perimeter.

Successful security is consistent, but to arrive at this level of  
consistency requires constant vigilance. It would never do to rest on  
ones laurels and say 'We've arrived and we're secure.' as that  
'Maginot Line' of thinking would only be circumvented by shifting the  
vector of attack (as the Maginot defense proved)

If you are in charge of security for your organization, it's critical  
to have frank discussion about the ongoing security requirements of  
your systems, and to ensure that policy is in place to monitor, and  
adjust your security processes as software and systems evolve. Even  
more critical is that the budget and human-power is adequately  
provided for through the policy so as to ensure that these evolving  
security threats are met with the appropriate response. Attackers are  
never standing still, and neither should the vigilant security expert.

Best,

Sean Swayze

On 3-Nov-07, at 7:36 PM, opexoc () gmail com wrote:

Hello,

I wonder about security holes which are still present in our OS,  
which let attackers take over control. I have heard about PAX  
system, ProPolice and other, which in consolidation should well  
defend system against attacks like buffer overflow. Is it not  
enough? Can't we really win the battle against buffer overflow and  
heap overflow?

opexoc

Current thread:

considerations about exploits tricks opexoc (Nov 04)
- Re: considerations about exploits tricks PCSC Information Services (Nov 05)
- <Possible follow-ups>
- Re: considerations about exploits tricks jfvanmeter (Nov 05)
- Re: considerations about exploits tricks krymson (Nov 05)
  - RE: considerations about exploits tricks Craig Wright (Nov 05)
- Re: RE: considerations about exploits tricks opexoc (Nov 08)