Re: Security vs. Simplicity

[Stephen Mullins <steve.mullins.work () gmail com>]

That argument doesn't really hold up in the context of this
conversation.  A "simple" network from both an ops and security
perspective might have a single router with integrated firewall and
that's it.  No DMZ, no IDS etc.  Adding a DMZ, redundant routers,
multiple firewalls from different vendors, and IDS sensors etc. all of
a sudden makes your network much more complex, and much more secure
from a defense in depth perspective.  The defense in depth strategy
does not lessen security but rather puts more road blocks in the way
of an attacker.

On Fri, May 22, 2009 at 9:49 AM,  <dan.crowley () gmail com> wrote:
> I'd like to challenge your original assumption that security and simplicity are inversely related (ie: more of one 
> means less of the other)
>
> I have a concrete block. It is my computer. It is very simply designed. I dare you to find a vulnerability in my 
> computer. (A silly example, perhaps, but it makes my point)
>
> In fact, with complexity ALWAYS comes more security problems. Take social networking sites as an example. You'd think 
> that sites as large as MySpace with dedicated IT folks working on it might have some pretty good security, but its 
> track record has really sucked. Why? Because there's SO MUCH ATTACK SURFACE.
>
> In addition to complexity providing more places to launch attacks (attack surface) you also will likely have less of 
> an ability to perceive possible flaws in a more complex system, leaving it up to a future attacker to do so. ;)
>
> Given that complexity makes security harder, focus on the simplicity first, as it will make life easier for everyone, 
> especially your security engineer.
>
> I'd also like to add that adding security as "an extra layer" sounds like bad security to me if that's the only place 
> security is going. Security is a property, not a box on an inventory checklist. Upon performing pen tests in the 
> past, nearly all of what I see is "M&M security". One hard, difficult to break outside layer, and soft, sweet innards.
>
> Good luck in building your infrastructure!
>
> --
> Dan Crowley
> "One machine can do the work of fifty ordinary men. No machine can do the work of an extraordinary man."
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> Gain a laser like insight into what is covered on the exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------