Forwarded from: rferrellat_private > A better approach was to employ "synergistic security", which hinged > on the concept of redundancy in security controls, Dr Tippett said. An even better and more effective approach is to stop relying solely on patches, IDS, firewalls, and other software to protect your networks. Human beings with training and experience must be sitting there watching these tools work, and reading the logs they produce. Relying on software (and hardware, for that matter) to keep your enterprise safe is like slapping a motion detector on your front gate and calling it secure. If there's no living person watching your portal, someone circumventing its security is not only possible, it's more or less inevitable. > Better technologies only accounted for a tenfold improvement in > safety; better education and better practices had multiplied this a > hundredfold. Better education and practices of systems administrators and users, to be precise. > At a bare minimum, companies should have either two primary controls > (with greater than 90 per cent effectiveness), or a primary and at > least three synergistic controls for each category of risks. > "Failure of any one control in a scenario like this would still > leave better than 99 per cent effectiveness," Dr Tippett said. Yeah, great, but don't forget the human element. The infosec industry needs to emphasize that people, not computers, are the best defense. Without trained professionals analyzing the data collected by an IDS, for example, it's just not very useful. Until infosec heuristics begin to approach human levels of sophistication, the best hardware on the planet is just a fancy screwdriver. > 'Encryption over the internet is important.' > > But Dr Tippett said the increasing speed and complexity of networks > meant it was almost impossible to inspect traffic for a single > message. Way too general. Encryption of what? If you're in a high risk business or just paranoid about your personal privacy, encryption is quite important. This statement only seems to cover email encryption. The major uses of encryption on the public Internet are SSL, SSH, and VPNs, however, which encrypt all traffic. If you want to send your SSN, credit card numbers, and proprietary data in plaintext, be my guest. This sort of cavalier attitude is what makes online identity theft so easy. > 'More obscure end-user passwords are advisable.' > > There was no measurable benefit, he said. Sorry, my BS detection meter just went off. I hope this statement is simply taken out of context. A quick look at the number of intrusions, expecially of Microsoft-based systems, which began with a cracker brute- forcing a user password will quickly dispel any notion that password construction has no 'measurable benefit' on security. There are a lot of password-cracking programs out there, and the reason people have devoted so much effort to their creation is that cracking passwords is one of the easiest and surest ways into a system. Once you're in, privilege elevation attacks are usually fairly straightforward. > Dr Tippett said daily updates were only 1 or 2 per cent better than > weekly updates. I agree with this. If antivirus companies would stop relying on pattern-matching and start incorporating more heuristics-based detection, however, the need for regular updates would disappear. > Vulnerabilities have to be quantified in terms of the probability of > a threat succeeding. In many cases, a threat would not be worth > worrying about. True. But who's going to look at every vulnerability that is announced and evaluate it in terms of its probability of exploitation on a given system? That requires a trained and dedicated analyst. A human being. See above. > Just get firewalls up to 90 per cent effectiveness and ensure > default router rules are not overridden, Dr Tippett advises. Well, at least change default passwords and community strings. > "It's about concentrating on essential practices, rather than best > practice," Dr Tippett said. And the essence of information security is the human element driving it. RGF Robert G. Ferrell rferrellat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 03:49:48 PDT