Re: [ISN] Security myths costing firms

From: InfoSec News (isnat_private)
Date: Sun May 12 2002 - 23:42:28 PDT

  • Next message: InfoSec News: "[ISN] Edinburgh Financial Cryptography Engineering 2002 - CFP"

    Forwarded from: Jay D. Dyson <jdysonat_private>
    Hash: SHA1
    On Tue, 7 May 2002, InfoSec News wrote:
    > SECURITY guru Peter Tippett loves to shock people.
    > He said no security system was ever going to be 100 per cent effective. 
    	That's a shock?  Hell, even the vault doors on Fort Knox have
    caveats on their failure conditions.  Anybody with a lick of sense knows
    that.  Anyone who thinks that any digitial security is 100% fool-proof
    only shows that they are a fool.
    > The costs involved in reacting to every alert or vulnerability would be
    > prohibitive, in any case, he said. 
    	Rubbish.  Following any recommendation of every market droid out
    there is cost-prohibitive; meaningful security is definitely _not_ cost-'s cost-effective.
    > A better approach was to quantify security risks, and take steps to
    > realistically address them - bearing in mind the costs of doing so. 
    	Or, even more radically, actually *implementing* security
    recommendations once you get them.  I can't tell you how many times I've
    seen businesses buy firewalls and never implement them.  Even worse are
    the ones who do implement them, but never bother looking at the firewall
    logs.  Still worse are those who make no critical assessment of the
    marketing claims made by the snake oil salesmen who foist this stuff onto
    > Dr Tippett said companies were spending more money on security every
    > year, but the problems of web defacements, intrusions, viruses and
    > denial of service attacks still became worse. It was a mindset problem,
    > he said. Companies were focusing on the wrong things and failing to get
    > the basics right. 
    	Or doing their usual thing by spending money and then never
    following through.  I can't tell you how many times my government employer
    has thrown good money after bad on "security audits" only to never do
    anything about the problems discovered until they get their asses 0wn3d
    six ways to Sunday.
    	Thus, the problem isn't any perceived shortcomings in security
    modalities; it's a shortcoming in actual *action* on the part of the
    current and future victims.
    > A better approach was to employ "synergistic security", which hinged
    > on the concept of redundancy in security controls, Dr Tippett said.
    	How about more security and less buzzwords?  I for one would
    definitely welcome that.
    > Now airline safety has improved 1000-fold, largely due to improved
    > safety practices.
    	Bull.  The FAA has been, still is, and always will be a tombstone
    agency.  Changes are not made until enough people die.  Ask anyone who's
    worked with or for the FAA and they'll tell you the same thing.  Asking
    the computer security industry to be modeled after the FAA isn't a step in
    the right's just codification of the idiocy we have today.
    > "There's no formal mechanism for distributing information about problems
    > and what must be done to fix them." 
    	By doing what?  NIPC, Part 2?  That's a laugh.
    > TruSecure is positioning itself in that space, as an information
    > repository and advisory service. Dr Tippett said the company monitored
    > the activities of some 800 hacker groups and collected 200 gigabytes of
    > net traffic a day, to keep ahead of the problems. 
    	I knew it...more marketing dreck.  Saw it coming a mile away.
    - -Jay
      (    (                                                          _______
      ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
     `--' `--'  `-- They know the rules.  We know the loopholes. --'  `------'
    Version: GnuPG v1.0.7 (TreacherOS)
    Comment: See for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon May 13 2002 - 03:59:46 PDT