On Tue, Oct 29, 2002 at 08:17:44PM -0000, Wanja Eric Naef [IWS] wrote: > FYI, it is a really good survey which looks at all aspects of > Information Security. Mostly good quotes... I'll just point out the ones I have issues with. :) > '... It is true that utility companies and other operators of critical > infrastructure are increasingly connected to the Internet. But just > because an electricity company's customers can pay their bills online, > it does not necessarily follow that the company's critical control > systems are vulnerable to attack. Control systems are usually kept > entirely separate from other systems, for good reason. They tend to be > obscure, old-fashioned systems that are incompatible with Internet > technology anyhow. Even authorised users require specialist knowledge to > operate them. And telecoms firms, hospitals and businesses usually have > contingency plans to deal with power failures or flooding. ...' While I certainly hope that the part of, "critical control systems are usually kept entirely seperate from other systems" is correct, relying on "specialist knowledge" to defend the systems is foolhardy. At one time, this was the major defense used by the phone networks. > '... Like eco-warriors, he observes, those in the security industry-be > they vendors trying to boost sales, academics chasing grants, or > politicians looking for bigger budgets-have a built-in incentive to > overstate the risks. True. But someday, just for kicks, check your incoming packets and notice how many are from code red or nimda clones. I get over a megabyte of traffic each day from some bootp-machine on my cable provider's network... > '... Viruses are a nuisance, but the coverage they receive is > disproportionate to the danger they pose. ...' Heh, funny, I keep hearing claims about $billions wasted on fighting each new virus outbreak. Either these $billions are calculated in the same fashion enron performed the rest of its accounting, or serious money is being thrown away. > '... Firewalls are no panacea, however, and may give users a false sense > of security. To be effective, they must be properly configured, and must > be regularly updated as new threats and vulnerabilities are discovered. No complaints about this one. I think this one needs to be said more often. :) > '... The Windows operating system is the largest piece of software ever > written, so implementing security retrospectively is a daunting task. Much more daunting is modifying how users interact with their windows systems. Most users expect to be "administrator" when they work with their windows machines -- so most users _are_ administrator -- so is their word processor, email client, etc etc. Thanks Wanja :) -- "A mouse can be just as dangerous as a bullet or a bomb." -- US Representative Lamar Smith (R-Texas)
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 13:44:03 PST