Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."



Hello,

That is a great example! A secure system is rendered insecure because of
only one omission.

Even with the best policies, and security technology one mistake resulted in
a security system failure (an exposure).

Most exposures result from only one omission. Just one, and only one. This
maybe a setting in a config file, a broken process, or a procedure that
isn't followed correctly (think aircraft part assembly). Security must do a
better job in lowing exposures as apposed to lowering risk (current
practices).

____________________________
TechDude
e. Jason@xxxxxxxxxxx
m. 416 .414 .9934

http://TechDude.Ca/


From: Saqib Ali <docbook.xml@xxxxxxxxx>
Date: Wed, 17 May 2006 06:25:10 -0700
To: Jason Muskat <Jason@xxxxxxxxxxx>
Cc: Bob Radvanovsky <rsradvan@xxxxxxxxxxxxx>, "Sadler, Connie"
<Connie_Sadler@xxxxxxxxx>, <email@xxxxxxxxxxxxxxxxxxxxx>,
<security-basics@xxxxxxxxxxxxxxxxx>
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."

Security has to be correct 100% of the time. One omission can lead to an

I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.

Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?

Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------



Relevant Pages

  • Re: My dear Wong Kan Seng........every sgian has the rights to critcise you on this Mas Salamat fias
    ... Just an Honest Mistake lar. ... sgian can't criticise you for your mishandling (lack of security) ... if you jail us for criticising you on lack of security ...
    (soc.culture.singapore)
  • Re: Administrators Permission on Network
    ... because it isn't necessarily a 'mistake' - it just violates your ... outlining computer use on the company network. ... >> you changing things on your local computer they shouldn't have made ... >> any security breach here would be with them. ...
    (microsoft.public.security)
  • Re: New Encryption Mode
    ... That's the mistake; history should convince you ... >that doing so is risky and ill-advised. ... modes having proofs of security. ... John Savard ...
    (sci.crypt)
  • Re: Oh Jane, Sorry To See You Have Gone All Huffington - More money for CEOP et al, please !!! I
    ... There are linux distros out there that use Tor as a default and using any other proxy requires a positive action on the part of the user. ... However you are correct that convenience overcomes security which is why we managed to crack some of the German codes during WWII ... mistake you make, ...
    (uk.legal)
  • Re: WHAT ARE YOU TALKING ABOUT?!?
    ... Mike; ... Security was one of the other reasons I was referring to. ... copy that can leave no mistake as to the actual character. ... Check the following link for some great problem solving newsgroups. ...
    (microsoft.public.windowsxp.security_admin)