Re: [ISN] Commentary: The Threat Of Microsofts .Net

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:32:25 PST

  • Next message: InfoSec News: "Re: [ISN] Commentary: The Threat Of Microsofts .Net"

    Forwarded from: John Ellingson <JohnE37179at_private>
    In a message dated 10/26/01 5:06:08 AM, isnat_private writes:
    << Suppose somebody breaks in. Everyone's personal and financial
    information would suddenly be in the hands of the intruders. Or
    worse--they could be scattered about in a series of resulting
    malfunctions. The extent of the financial, social, and political
    disaster that could result is hard to imagine. >>
    The real risk isn't someone breaking in. While the focus of this group
    is on security and most of us work in the digital world, the greatest
    risk is still some form of social engineering. Approximately 80 of all
    losses/unauthorized access occurs from inside the firewall. It comes
    from people who have previously had access, but it was never turned
    off, or someone who is bribed, or has a grudge, or is otherwise
    motivated. Those of us in the security business have a duty to look at
    system security as a whole. That does not mean just device to device,
    it means including all users and it crucially means an assumption that
    not everyone will follow the rules.
    If I could offer a classic example: We all know that identity fraud is
    growing by leaps and bounds. It is doing so because we enable it. We
    enable identity fraud through some of the very schemes and technology
    we use to provide security. Identity fraud is enabled through the use
    of PKI, encryption, digital certificates, over reliance on credit
    reports and the dangerously false assumption that one identity must be
    attached to one person and that person matches the identity.
    We continually design point solutions, each one a link in the security
    chain.  We defer to some integrator or our customers to assemble the
    chain. But as we all know, no one provides a complete chain or even a
    design for the complete chain. Security that is either just a bunch of
    unconnected links (weak or strong), or a linked chain that is one link
    short of a connection, is no security at all.
    We live in a world that has digitized the paradigm of business that
    existed in the 50s. In the fifties businesses knew their customers and
    would recognize them on the street. Today most business wouldn't
    recognize their customers face to face. Yet, we have not changed our
    underlying basic assumptions.
    We cannot build a truly secure environment out of patches to an
    obsolete paradigm.
    John Ellingson
    Edentification, Inc.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:48:30 PST