Re: A Tempting Offer for Russian Pair (Three messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>
Cc: Kurt Seifried <kurt () seifried org>

On Thu, 22 May 2003 15:51, InfoSec News wrote:

> > It's what you have to do if you want things to run properly.
> > Complaining about being hacked and then having to pay extra to get
> > security is like complaining about leaving your umbrella at home
> > and being forced to buy one from an expensive store when a
> > thunderstorm starts.  There's no point complaining about such
> > things, you knew the risks, took a chance, and it didn't work out.
>
> That is so true. My house only has wimply little deadbolts on the
> front and back, and the windows are only made out of glass, and not
> shatter resistent. Heck, I don't even have a security system.
> Obviously after I get broken into and spend the money on a security
> system we'll know how's fault it was, me the victim, right?


But your house is locked, and it is not a bank.

Anyone who leaves their house unlocked and unattended is asking for
trouble, they will get little sympathy from the police and no sympathy
from their insurance company if they are robbed.

Banks have bullet-proof glass, heavy steel doors, time-delay locks,
security cameras that send the picture off-site, etc.  Any bank that
lacks these features would be considered inadequate.

The same applies to electronic commerce.  You should have the same
level of security for electronic money transfers as you do for
physical transfers of cash.  No company would have a lone employee
holding $100,000 in cash at a street corner at midnight, but most
companies do equivalent things with their e-commerce sites.


> > Usually when you take a chance on computer security it won't work
> > out.
>
> If you could give me a definition for "chance" for my servers I'd
> love to know what it is (is running up to date software, firewalling
> and some other additional means enough? Am I taking a chance by not
> running SELinux? =).

SE Linux is one potential part of a security solution.

I suggest some minimal capability of a firewall, I wouldn't suggest
investing too much in firewalls because if the application is cracked
then the firewall is useless.  An IDS is handy if there are staff to
properly configure it and monitor it's output.  A system of Mandatory
Access Control for hosts such as SE Linux is necessary, I think that
SE Linux is the best option but there are many to choose from.


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

 

-=- 



Forwarded from: Tony | AVIEN / EWS <tony () avien org>
 

<<Obviously after I get broken into and spend the money on a security
system we'll know how's fault it was, me the victim, right?>>

I would tend to agree with Kurt on this.

The umbrella analogy is good for businesses that implement *no*
security and then pay big bucks to roll out security urgently after
the fact.  It is more like you left the house with an umbrella
thinking that you were proactively preparing for the weather only to
find out that your umbrella has a hole or a tornado strikes and
totally negates your protective measures.

However, in most cases businesses have implemented *some* security. It
is a matter of debate whether that security should be considered a
reasonable defense. Using Kurt's analogy, even if I leave the doors
and windows to my house wide open it does not mean I should "deserve"
to be robbed.

Whether I choose to just close the door or deadbolt the door or buy an
alarm, install video surveillance and hire a security guard are all
degrees of security that I could implement. In the end, if I do
everything I can, someone with enough time, knowledge and desire can
still get in and if I do nothing it does not give someone the right to
come in.


Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
About.com Guide for Internet / Network Security
http://netsecurity.about.com 

Click here to sign up for the weekly Internet / Network Security
Newsletter: NetSecurity Newsletter 



-=-


Forwarded from: Kurt Seifried <kurt () seifried org>
Cc: Russell Coker <russell () coker com au>

> But your house is locked, and it is not a bank.
>
> Anyone who leaves their house unlocked and unattended is asking for
> trouble, they will get little sympathy from the police and no
> sympathy from their insurance company if they are robbed.

All my friends that live in the country leave their houses unlocked,
for two good reasons:

a) in an emergency someone might need to use thier phone/etc
b) if someone is going to break in it doesn't matter, even if they had
an alarm it takes 30-60 minutes to get out there from town, by which
time the bad guys would be long gone. If the door was locked they'd
simply smash windows.


-Kurt




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.