Re: Article: "Security Absurdity: The Complete, Un
- From: Bob Radvanovsky <rsradvan@xxxxxxxxxxxxx>
- Date: Wed, 17 May 2006 21:07:50 -0500
Why do you "parrot" the exact same thing that has been told --repeatedly -- over the past 15 years? They have you brainwashed! How many principles do you think there really are (and not just the ones that ISC(2) *tells* you that there should be)? What do you think makes up the components of a good security model? What defines the best practices, and how should it be enabled? Are 3 overly simplified principles the only key? I disagree.
Security is not about "absolutes", but about "resolutes". It is (most of the time) "hit or miss", sometimes hitting dead nuts on target, other times, completely missing the target entirely. There will *never* be "absolute security", because of the random, human factors that are involved, no matter how much business and government attempt to accurately predict human behavior.
To me, "confidentiality" is based on how well you can keep a secret. This (again, to me), is dependent upon the "integrity" of the data, as well as it's "availability". If it's not available, you have nothing to control the secret. If the data has been tampered, you (again) have nothing to keep secret. The levels of confidentiality are dependent upon those 2 principles (using your ISC(2) security model). Expanding on the security model, to me, "intelligence" carries a fair share amount of weight, as does "information" itself. The reason for mentioning "information" is that if it's useless "information", why bother protecting it? Henceforth, why the U.S. government has both intelligence and information assurance offices. The IA offices determine if the information is useful. The intelligence offices determine how it should be determined (I know that sounds circular, but hey, welcome to the redundant world of redundant systems of a redundant world...confused yet?) If businesses and government (alike) didn't agree with that statement, then we wouldn't have those 2 kinds of organizations throughout the world; therefore, the security model is inclusive to these 2 additional elements.
My quote for 2006: "The best security is no security that's needed." Think about it... ;))
----- Original Message -----
From: Saqib Ali [mailto:docbook.xml@xxxxxxxxx]
To: Jason Muskat [mailto:Jason@xxxxxxxxxxx]
Cc: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx], "Sadler, Connie" [mailto:Connie_Sadler@xxxxxxxxx], email@xxxxxxxxxxxxxxxxxxxxx, security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Security has to be correct 100% of the time. One omission can lead to an
I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.
Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?
Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.
Saqib Ali, CISSP, ISSAP
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
- Prev by Date: Re: Mac address authntication/ mac address spoffing
- Next by Date: Fiber port with a strange problem in Linux 2.4.18
- Previous by thread: Encrypted traffic dropped?
- Next by thread: Fiber port with a strange problem in Linux 2.4.18