Forwarded from: Russell Coker <russellat_private> Cc: Kurt Seifried <kurtat_private> On Thu, 22 May 2003 15:51, InfoSec News wrote: > > It's what you have to do if you want things to run properly. > > Complaining about being hacked and then having to pay extra to get > > security is like complaining about leaving your umbrella at home > > and being forced to buy one from an expensive store when a > > thunderstorm starts. There's no point complaining about such > > things, you knew the risks, took a chance, and it didn't work out. > > That is so true. My house only has wimply little deadbolts on the > front and back, and the windows are only made out of glass, and not > shatter resistent. Heck, I don't even have a security system. > Obviously after I get broken into and spend the money on a security > system we'll know how's fault it was, me the victim, right? But your house is locked, and it is not a bank. Anyone who leaves their house unlocked and unattended is asking for trouble, they will get little sympathy from the police and no sympathy from their insurance company if they are robbed. Banks have bullet-proof glass, heavy steel doors, time-delay locks, security cameras that send the picture off-site, etc. Any bank that lacks these features would be considered inadequate. The same applies to electronic commerce. You should have the same level of security for electronic money transfers as you do for physical transfers of cash. No company would have a lone employee holding $100,000 in cash at a street corner at midnight, but most companies do equivalent things with their e-commerce sites. > > Usually when you take a chance on computer security it won't work > > out. > > If you could give me a definition for "chance" for my servers I'd > love to know what it is (is running up to date software, firewalling > and some other additional means enough? Am I taking a chance by not > running SELinux? =). SE Linux is one potential part of a security solution. I suggest some minimal capability of a firewall, I wouldn't suggest investing too much in firewalls because if the application is cracked then the firewall is useless. An IDS is handy if there are staff to properly configure it and monitor it's output. A system of Mandatory Access Control for hosts such as SE Linux is necessary, I think that SE Linux is the best option but there are many to choose from. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -=- Forwarded from: Tony | AVIEN / EWS <tonyat_private> <<Obviously after I get broken into and spend the money on a security system we'll know how's fault it was, me the victim, right?>> I would tend to agree with Kurt on this. The umbrella analogy is good for businesses that implement *no* security and then pay big bucks to roll out security urgently after the fact. It is more like you left the house with an umbrella thinking that you were proactively preparing for the weather only to find out that your umbrella has a hole or a tornado strikes and totally negates your protective measures. However, in most cases businesses have implemented *some* security. It is a matter of debate whether that security should be considered a reasonable defense. Using Kurt's analogy, even if I leave the doors and windows to my house wide open it does not mean I should "deserve" to be robbed. Whether I choose to just close the door or deadbolt the door or buy an alarm, install video surveillance and hire a security guard are all degrees of security that I could implement. In the end, if I do everything I can, someone with enough time, knowledge and desire can still get in and if I do nothing it does not give someone the right to come in. Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ About.com Guide for Internet / Network Security http://netsecurity.about.com Click here to sign up for the weekly Internet / Network Security Newsletter: NetSecurity Newsletter -=- Forwarded from: Kurt Seifried <kurtat_private> Cc: Russell Coker <russellat_private> > But your house is locked, and it is not a bank. > > Anyone who leaves their house unlocked and unattended is asking for > trouble, they will get little sympathy from the police and no > sympathy from their insurance company if they are robbed. All my friends that live in the country leave their houses unlocked, for two good reasons: a) in an emergency someone might need to use thier phone/etc b) if someone is going to break in it doesn't matter, even if they had an alarm it takes 30-60 minutes to get out there from town, by which time the bad guys would be long gone. If the door was locked they'd simply smash windows. -Kurt - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 02:07:03 PDT