Re: [ISN] Commentary: The Threat Of Microsofts .Net

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:32:25 PST

Next message: InfoSec News: "Re: [ISN] Commentary: The Threat Of Microsofts .Net"

Previous message: InfoSec News: "[ISN] Little Stuph"
Maybe in reply to: InfoSec News: "[ISN] Commentary: The Threat Of Microsofts .Net"
Next in thread: InfoSec News: "Re: [ISN] Commentary: The Threat Of Microsofts .Net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: John Ellingson <JohnE37179at_private>

In a message dated 10/26/01 5:06:08 AM, isnat_private writes:

<< Suppose somebody breaks in. Everyone's personal and financial
information would suddenly be in the hands of the intruders. Or
worse--they could be scattered about in a series of resulting
malfunctions. The extent of the financial, social, and political
disaster that could result is hard to imagine. >>

The real risk isn't someone breaking in. While the focus of this group
is on security and most of us work in the digital world, the greatest
risk is still some form of social engineering. Approximately 80 of all
losses/unauthorized access occurs from inside the firewall. It comes
from people who have previously had access, but it was never turned
off, or someone who is bribed, or has a grudge, or is otherwise
motivated. Those of us in the security business have a duty to look at
system security as a whole. That does not mean just device to device,
it means including all users and it crucially means an assumption that
not everyone will follow the rules.

If I could offer a classic example: We all know that identity fraud is
growing by leaps and bounds. It is doing so because we enable it. We
enable identity fraud through some of the very schemes and technology
we use to provide security. Identity fraud is enabled through the use
of PKI, encryption, digital certificates, over reliance on credit
reports and the dangerously false assumption that one identity must be
attached to one person and that person matches the identity.

We continually design point solutions, each one a link in the security
chain.  We defer to some integrator or our customers to assemble the
chain. But as we all know, no one provides a complete chain or even a
design for the complete chain. Security that is either just a bunch of
unconnected links (weak or strong), or a linked chain that is one link
short of a connection, is no security at all.

We live in a world that has digitized the paradigm of business that
existed in the 50s. In the fifties businesses knew their customers and
would recognize them on the street. Today most business wouldn't
recognize their customers face to face. Yet, we have not changed our
underlying basic assumptions.

We cannot build a truly secure environment out of patches to an
obsolete paradigm.


John Ellingson
CEO
Edentification, Inc.
||||#
||||||
||||||

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "Re: [ISN] Commentary: The Threat Of Microsofts .Net"
Previous message: InfoSec News: "[ISN] Little Stuph"
Maybe in reply to: InfoSec News: "[ISN] Commentary: The Threat Of Microsofts .Net"
Next in thread: InfoSec News: "Re: [ISN] Commentary: The Threat Of Microsofts .Net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:48:30 PST