RE: [Full-disclosure] perfect security architecture (network)

From: Chuck Fullerton (cfullerton_at_fullertoninfosec.com)
Date: 08/09/05

  • Next message: Jason Coombs: "Re: [Full-disclosure] "responsible disclosure" explanation" 
    To: <charles.heselton@gmail.com>, <cobradead@gmail.com>, <full-disclosure@lists.grok.org.uk>
Date: Mon, 8 Aug 2005 22:51:26 -0400

    >There IS NO *perfect* security.
    >If you have a customer that is asking for "perfect security", tell them it
    can't be done.

    I beg to differ. If you have a customer that's asking for Perfect Security
    then read the OSSTMM. (Better yet, send them to my company.) ;-)

    If you don't believe me then check out my whitepaper, "How to Make the
    'Perfect' PB&J". It can be downloaded at
    http://www.infosecwriters.com/texts.php?op=display&id=236

    People that are asking for Perfect Security are those that want the level of
    security they need for their environment. Your not going to use a Bank
    Vault to secure only $50.00. It's overkill and their ROI won't match up.

    So the next time a customer asks you for "Perfect Security" They are
    telling you that they don't want to be oversold.

    Sincerely,

    Chuck Fullerton

    -----Original Message-----
    From: full-disclosure-bounces@lists.grok.org.uk
    [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Charles
    Heselton
    Sent: Monday, August 08, 2005 9:36 PM
    To: cobradead@gmail.com; full-disclosure@lists.grok.org.uk
    Subject: RE: [Full-disclosure] perfect security architecture (network)

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Although Daniel's comments may be tongue-in-cheek, there is some truth.
    Here are a few ideas that have become more or less mantras for me,
    personally....

    There IS NO *perfect* security.

    Defense in depth.

    The larger your network is, the less effective your perimeter becomes.

    The end user is always the weakest link.

    There may be a few more that people feel I have left out. Basically, if
    you're asking what I think you're asking, you have to be able to cater the
    level of security you're providing to the needs of your customer.
    Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded"
    routing......all of these thing have a part in an ideally secure situation.
    The point is to identify the most critical assets and possible vectors of
    attack. Then you design a security architecture that 1) addresses those
    vectors, and 2) has multiple layers that should one preventative method
    fail, another will detect/prevent (defense in depth). There will always be
    someone out there who is able to figure out a hole, with enough knowledge,
    experience, persistence, and luck.

    If you have a customer that is asking for "perfect security", tell them it
    can't be done. If you're asking a philosophical question, well secure
    application development can make a security professional's life a little
    easier, but it's not going to solve the fundamental problem. But, just like
    the rest of the security tools (firewalls, etc.), more secure applications
    and programming techniques only play a part.

    HTH.

    - --
    - - Charlie
     
    5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
     
     
     

    > -----Original Message-----
    > From: full-disclosure-bounces@lists.grok.org.uk
    > [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Daniel
    > H. Renner
    > Sent: Monday, August 08, 2005 9:08 AM
    > To: full-disclosure@lists.grok.org.uk
    > Subject: Re: [Full-disclosure] perfect security architecture
    > (network)
    >
    > Good Lord C0br4,
    >
    > Did your new client give you a shopping list or what?
    >
    > Use the force C0br4! The force (of the right forum) will protect you!
    >
    > --
    > Dan Renner
    > Los Angeles Computerhelp
    > http://losangelescomputerhelp.com
    >
    >
    > On Mon, 2005-08-08 at 12:00 +0100,
    > full-disclosure-request@lists.grok.org.uk wrote:
    > > Date: Mon, 8 Aug 2005 11:04:34 +0530
    > > From: C0BR4 <cobradead@gmail.com>
    > > Subject: [Full-disclosure] perfect security architecture
    > > (network) To: websecurity@webappsec.org
    > > Message-ID: <457462ba0508072234bc6216c@mail.gmail.com>
    > > Content-Type: text/plain; charset=ISO-8859-1
    > >
    > > Hey guys,
    > >
    > > Have couple of questions need answers plz...........
    > >
    > > There are three attacks that jeopardize Information security.
    > >
    > > ------------------------------
    > > - secure Network -
    > > ------------------------------
    > > - secure Host -
    > > ------------------------------
    > > - secure Application -
    > > -------------------------------
    > >
    > > How can we optimize security? Stopping attacks at network
    > or building
    > > secure applications..
    > >
    > > How should we deal with these attacks? People talk about Firewall,
    > > IDS/IPS etc..
    > >
    > > What's best?
    > >
    > > If asked to give a perfect security architecture (network)
    > what would
    > > you suggest? Given
    > > a Firewall, Router, IDS, IPS and Anti-virus .
    > >
    > > thank you
    > > C0br4
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQvgImHv40fZIKe3PEQIKUACg3rcR67ioI8s3UK2Lm8U1Tr+ytvQAoIu6
    47spbOk+qXkqN09ep0nR9Dms
    =7fIa
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Jason Coombs: "Re: [Full-disclosure] "responsible disclosure" explanation"

    Relevant Pages

    • Re: Communicating covertly using remailers
      ... "Perfect security' is security without any flaw, ... No. "Perfect security" actually means "information ... That he didn't speaks volumes. ...
      (sci.crypt)
    • Re: NHS Healthcare Records
      ... A slap on the wrist is the more likely outcome, primarily because the organisation does not want to expose the fact that security has been breached. ... Reputational risk is regarded in the information security industry as one of the highest levels of risk -- once an organisation is perceived to have lost its reputation through bad information management, it is extremely difficult to make amends. ... there is no such thing as perfect security. ...
      (uk.people.silversurfers)
    • Re: How secure is SSL emails?
      ... I will take that as a retraction of what you posted about me. ... I never did hold your "perfect security" strawman position. ...
      (sci.crypt)
    • Re: [Lit.] Buffer overruns
      ... >on comp.programming territory. ... Often when I hear people bring up the impossibility of perfect security, ... design or an excuse not to bother improving security even partially. ...
      (sci.crypt)
    • Risks Digest 27.16
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Security Firm Bit9 Hacked, Used to Spread Malware Security Firm ... Super Bowl blackout was caused by electrical relay ... The timing of the attacks coincided ...
      (comp.risks)