Re: Risks of File Transfer on a Fully Switched Network

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Gary Dobbins wrote:
> For all the reasons the other respondents have pointed out, you may want
> to choose to simply expect the campus net is just as potentially hostile
> as any cyber cafe, harden the endpoint machines, and use only encrypted
> transmission for sensitive data as a matter of policy.
>
> Then, permit variance from that default policy only by deliberate
> choice, and in the presence of sufficient local compensatory controls,
> such as within a managed datacenter.

Gary makes a good point about policies. My view is that one of the main
reasons for policies is to make people stop and think before doing
things.   When ever we put up new polices we get a chorus of 'but what
about X'.  In some (most?) cases it turns out that there are alternative
ways of doing X without breaching policy, in many cases the new way is
better from a security perspective and no worse from a convenience view.
Sometimes we decide that the risk posed by X is less than the cost of
adhering to the policy and we grant an exemption.  The key thing is that
someone has stopped and thought about it.

This is exactly what is happening in Connie's case.  Some people in her
organisation are (in effect) arguing that the risk of interception is
less than the cost the encryption.  What is missing from this equation
is the cost of compromise.  Most organisations have a document
classification scheme: Public, internal distriution, sensitive, highly
sensitive.....

My gut feeling is that things that are internal distribution and below
don't need encryption on the local network, but anything above does,
even if the risk is low simply because encryption is now so cheap.  One
ends up asking the question "why would one *not* encrypt exam papers
that are being sent to the printer (I mean both/either the part of the
organisation responsible for printing such things and/or the physical
printer on the network which should be in a highly secured area where
there is no (well as low as one can make it) possibility of anyone
getting at your switches).  The same goes for administration papers on
pending fee increases, financial papers... Given how cheap encryption is
you have to be mad not to use it.

This is related to the story that is all over the papers and TV here in
NZ at the moment.  It has been revealed that both main domestic airlines
have policies that unaccompanied children are not seated next to men.
Somehow, recently, presumably because of some stuff up in the seat
allocation, cabin staff have asked men to swap seats with a woman to
comply with the policy -- much to the embarrasment of the poor chap who
is asked to shift.

There has been much venting of spleen about PC gone mad etc.  But the NZ
Herald (biggest paper in the country) leader today points out (quite
rightly) that the policy is a perfectly sensible low cost response to a
low risk threat, but one that can have devastating consequences.
Unfortunately they did not take the next logical step and tear the
airlines apart for failing to properly enforce the rules at seat
allocation time and leaving cabin crew to deal with embarrassed customers.

I think that encrypting sensitive information on the network by default
is in the same category.  If there are particular cases where encryption
 causes additional costs that are deemed unacceptable then you make an
exception for this application.  But at least some gets to think about
it and make an explicit decision.

Russell