RE: Security vs. Simplicity

["Craig S. Wright" <craig.wright () Information-Defense com>]

More effective (and hence better) security does not always = more money and
cost.

Simple is often NOT less expensive in the manner touted.

You have to weigh the upfront and ongoing costs. NPV (net present value)
calculations based on probabilistic rates of occurrence help here.

Grannies Win 98 host is far from simple.

...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of aaa () bbb com
Sent: Wednesday, 20 May 2009 7:21 AM
To: security-basics () securityfocus com
Subject: Re: Security vs. Simplicity

Can't really argue with Steve's view.  Another perspective on it is that
"Business Needs" define how much security (more expensive) is valued over
simplicity (cheaper).

Extremism in any form is not realistic.  The "simplest" network is
"Grannies" Windows 98 PC plugged directly into the Internet.  It's simple,
cheap and about as secure as a screen door on a submarine.  The most
"secure" computer is setup inside a Faraday cage, inside a vault, not
connected to any network.  And the power is turned off.  It's only use is to
collect dust.

Realistically, businesses have to find the happy medium between those
extremes that is appropriate to their situation.  A "mom and pop" store with
only 3 or 4 PCs and a cash register on their internal network, connections
to vendors for ordering goods, and Quicken for their accounts may be
reasonably satisfied with a router, firewall software and Anti-malware
suites installed on each.  It's simple to maintain, cheap enough to be
supported on their cash flow, and basically secure enough to protect them.
On the other hand a bank or large retailer with lots of customer, employee,
and vendor personal information, lots of credit card sales, and lots of
inventory and cash to lose track of is going to want a great deal more
security and complexity to avoid the negative impacts of breaches.  How much
security complexity is "enough" depends on their business needs based in
part on estimated costs associated with breaches.

There is no "right" answer. "It depends" on the specific situation. 

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means you
pass the exam. Gain a laser like insight into what is covered on the exam,
with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------