Forwarded from: John Ellingson <JohnE37179at_private> In a message dated 10/26/01 5:06:08 AM, isnat_private writes: << Suppose somebody breaks in. Everyone's personal and financial information would suddenly be in the hands of the intruders. Or worse--they could be scattered about in a series of resulting malfunctions. The extent of the financial, social, and political disaster that could result is hard to imagine. >> The real risk isn't someone breaking in. While the focus of this group is on security and most of us work in the digital world, the greatest risk is still some form of social engineering. Approximately 80 of all losses/unauthorized access occurs from inside the firewall. It comes from people who have previously had access, but it was never turned off, or someone who is bribed, or has a grudge, or is otherwise motivated. Those of us in the security business have a duty to look at system security as a whole. That does not mean just device to device, it means including all users and it crucially means an assumption that not everyone will follow the rules. If I could offer a classic example: We all know that identity fraud is growing by leaps and bounds. It is doing so because we enable it. We enable identity fraud through some of the very schemes and technology we use to provide security. Identity fraud is enabled through the use of PKI, encryption, digital certificates, over reliance on credit reports and the dangerously false assumption that one identity must be attached to one person and that person matches the identity. We continually design point solutions, each one a link in the security chain. We defer to some integrator or our customers to assemble the chain. But as we all know, no one provides a complete chain or even a design for the complete chain. Security that is either just a bunch of unconnected links (weak or strong), or a linked chain that is one link short of a connection, is no security at all. We live in a world that has digitized the paradigm of business that existed in the 50s. In the fifties businesses knew their customers and would recognize them on the street. Today most business wouldn't recognize their customers face to face. Yet, we have not changed our underlying basic assumptions. We cannot build a truly secure environment out of patches to an obsolete paradigm. John Ellingson CEO Edentification, Inc. ||||# |||||| |||||| - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:48:30 PST