AW: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
- From: Christian.Assfalg@xxxxxxxxxxxxxxxxxxxxxxxxxxx
- Date: Thu, 18 May 2006 09:11:58 +0200
Security can never be 100%. It is always a compromise between the security level you want to achieve and the effort you can or want to spend to improve security.
It is also a compromise between security level and accessability / usability. The more secure something is, the more complicated it is to use. Shure, if you had to type 5 passwords, enter 3 one time pads and perform a retina scan, that would be very secure. But would this be practical to access an application you have to use constantly and which you have to lock EVERY single time you leave your workstation for a minute?
(Which should actually apply to your workstation, if you take security serious. DO you lock your workstation every time you go to the toilet, fetch something from the printer three rooms away, get some coffe...? Do your colleagues?)
And can you remember 5 passwords that change every three months? Well I guess I could manage 2, IF I used them regularly, that is more than once a day. I guess I wold have to have them written down for two or three days without enumeration. Most users would either end up writing those passwords down permanently, or at least add some kind of enumeration to it. There goes your password security.
Security, in my eyes, has two difficulties:
First, to cover ALL areas, to not loose the general picture in silly technical details. Also to have an understanding of which areas are covered by you or your department, and which ones are covered by other people.
Second, to create an awarness for security and what it means in every single person that walks arround in your building.
Shure, technical security is an important thing. But technical security is rather easy to accomplish. If you have tight security requirements, you will most likely have the biggest problems with user awarness.
It is for example nice to have telnet replaced by ssh. But how long do you need to type "rm -rf /" on an open root shell from an unlocked workstation? Or how does this help you in case someone managed to install a hardware keylogger to a couple of workstations? Or if there is a web-console without password or with a default password? Or if someone sniffs the file where your passwords are stored while it is beeing backuped?
The list is endless, and I think the article does a great job in pointing out issues one would not think about at first. I don't think we should panik due to this article or start improving security wherever we can. But for me, it created sort of an awareness of how BIG this topic actually is, and how important yet complicated it is to implement.
Von: Saqib Ali [mailto:docbook.xml@xxxxxxxxx]
Gesendet: Mittwoch, 17. Mai 2006 15:25
An: Jason Muskat
Cc: Bob Radvanovsky; Sadler, Connie; email@xxxxxxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Betreff: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Security has to be correct 100% of the time. One omission can lead to an
I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.
Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?
Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.
Saqib Ali, CISSP, ISSAP
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15