Forwarded from: Jay D. Dyson <firstname.lastname@example.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 7 May 2002, InfoSec News wrote: > SECURITY guru Peter Tippett loves to shock people. <snip> > He said no security system was ever going to be 100 per cent effective. That's a shock? Hell, even the vault doors on Fort Knox have caveats on their failure conditions. Anybody with a lick of sense knows that. Anyone who thinks that any digitial security is 100% fool-proof only shows that they are a fool. > The costs involved in reacting to every alert or vulnerability would be > prohibitive, in any case, he said. Rubbish. Following any recommendation of every market droid out there is cost-prohibitive; meaningful security is definitely _not_ cost- prohibitive...it's cost-effective. > A better approach was to quantify security risks, and take steps to > realistically address them - bearing in mind the costs of doing so. Or, even more radically, actually *implementing* security recommendations once you get them. I can't tell you how many times I've seen businesses buy firewalls and never implement them. Even worse are the ones who do implement them, but never bother looking at the firewall logs. Still worse are those who make no critical assessment of the marketing claims made by the snake oil salesmen who foist this stuff onto them. > Dr Tippett said companies were spending more money on security every > year, but the problems of web defacements, intrusions, viruses and > denial of service attacks still became worse. It was a mindset problem, > he said. Companies were focusing on the wrong things and failing to get > the basics right. Or doing their usual thing by spending money and then never following through. I can't tell you how many times my government employer has thrown good money after bad on "security audits" only to never do anything about the problems discovered until they get their asses 0wn3d six ways to Sunday. Thus, the problem isn't any perceived shortcomings in security modalities; it's a shortcoming in actual *action* on the part of the current and future victims. > A better approach was to employ "synergistic security", which hinged > on the concept of redundancy in security controls, Dr Tippett said. How about more security and less buzzwords? I for one would definitely welcome that. > Now airline safety has improved 1000-fold, largely due to improved > safety practices. Bull. The FAA has been, still is, and always will be a tombstone agency. Changes are not made until enough people die. Ask anyone who's worked with or for the FAA and they'll tell you the same thing. Asking the computer security industry to be modeled after the FAA isn't a step in the right direction...it's just codification of the idiocy we have today. > "There's no formal mechanism for distributing information about problems > and what must be done to fix them." By doing what? NIPC, Part 2? That's a laugh. > TruSecure is positioning itself in that space, as an information > repository and advisory service. Dr Tippett said the company monitored > the activities of some 800 hacker groups and collected 200 gigabytes of > net traffic a day, to keep ahead of the problems. I knew it...more marketing dreck. Saw it coming a mile away. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- email@example.com ------<) | = |-' `--' `--' `-- They know the rules. We know the loopholes. --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE83ZjqGI2IHblM+8ERAmYqAKCLrkMrJ2/a/jt6hfaOPSfMdgqoqwCgkQex Yt1rgPUJc6WCzeunp0YDFzA= =LHf7 -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email firstname.lastname@example.org with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon May 13 2002 - 03:59:46 PDT