Re: Security myths costing firms

[InfoSec News <isn () c4i org>]

Forwarded from: Jay D. Dyson <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 7 May 2002, InfoSec News wrote:

> SECURITY guru Peter Tippett loves to shock people.
<snip>
> He said no security system was ever going to be 100 per cent effective. 

        That's a shock?  Hell, even the vault doors on Fort Knox have
caveats on their failure conditions.  Anybody with a lick of sense knows
that.  Anyone who thinks that any digitial security is 100% fool-proof
only shows that they are a fool.

> The costs involved in reacting to every alert or vulnerability would be
> prohibitive, in any case, he said. 

        Rubbish.  Following any recommendation of every market droid out
there is cost-prohibitive; meaningful security is definitely _not_ cost-
prohibitive...it's cost-effective.

> A better approach was to quantify security risks, and take steps to
> realistically address them - bearing in mind the costs of doing so. 

        Or, even more radically, actually *implementing* security
recommendations once you get them.  I can't tell you how many times I've
seen businesses buy firewalls and never implement them.  Even worse are
the ones who do implement them, but never bother looking at the firewall
logs.  Still worse are those who make no critical assessment of the
marketing claims made by the snake oil salesmen who foist this stuff onto
them.

> Dr Tippett said companies were spending more money on security every
> year, but the problems of web defacements, intrusions, viruses and
> denial of service attacks still became worse. It was a mindset problem,
> he said. Companies were focusing on the wrong things and failing to get
> the basics right. 

        Or doing their usual thing by spending money and then never
following through.  I can't tell you how many times my government employer
has thrown good money after bad on "security audits" only to never do
anything about the problems discovered until they get their asses 0wn3d
six ways to Sunday.

        Thus, the problem isn't any perceived shortcomings in security
modalities; it's a shortcoming in actual *action* on the part of the
current and future victims.

> A better approach was to employ "synergistic security", which hinged
> on the concept of redundancy in security controls, Dr Tippett said.

        How about more security and less buzzwords?  I for one would
definitely welcome that.

> Now airline safety has improved 1000-fold, largely due to improved
> safety practices.

        Bull.  The FAA has been, still is, and always will be a tombstone
agency.  Changes are not made until enough people die.  Ask anyone who's
worked with or for the FAA and they'll tell you the same thing.  Asking
the computer security industry to be modeled after the FAA isn't a step in
the right direction...it's just codification of the idiocy we have today.

> "There's no formal mechanism for distributing information about problems
> and what must be done to fix them." 

        By doing what?  NIPC, Part 2?  That's a laugh.

> TruSecure is positioning itself in that space, as an information
> repository and advisory service. Dr Tippett said the company monitored
> the activities of some 800 hacker groups and collected 200 gigabytes of
> net traffic a day, to keep ahead of the problems. 

        I knew it...more marketing dreck.  Saw it coming a mile away.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- They know the rules.  We know the loopholes. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE83ZjqGI2IHblM+8ERAmYqAKCLrkMrJ2/a/jt6hfaOPSfMdgqoqwCgkQex
Yt1rgPUJc6WCzeunp0YDFzA=
=LHf7
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.