On Thu, Mar 06, 2003 at 09:38:25AM -0800, Ed Gerck wrote: > > > Tal Garfinkel wrote: > > > The value of these type of controls that they help users you basically > > trust who might be careless, stupid, lazy or confused to do the right > > thing (however the right thing is defined, according to your company > > security policy). > > It beats me that "users you basically trust" might also be "careless, stupid, > lazy or confused" ;-)
That's security in the real world. You screen employee's based on their character and competence at the task you hired them to do, you typically don't rigorously drill them on security procedures, and even if you do most folks get lazy, careless or confused at some point. Example: If an executive is told by the security bozo down the hall that they should not print out sensitive documents, they might take it seriously, but then again they can make excuses for their laziness, "he's just being paranoid", "I want to read this report in bed, it won't hurt this one time", etc. On the other hand, if they have to do something like break out the digital camera, it should be pretty obvious to them that what they are doing is in pretty severe violation of company policy, will likely get them severely reprimanded if caught, and will likely obviate any convenience benefits they might have hoped to gain by having a hard copy of that document. I think experience with password security is a perfect example of a the principle at work here, if you make it convenient to do the wrong thing, people almost certainly will. > Your point might be better expressed as "the company security policy would > be followed even if you do NOT trust the users to do the right thing." > But, > as we know, this only works if the users are not malicious, if social > engineering cannot be used, if there are no disgruntled employees, and > other equally improbable factors. Ok, so there are only two issues here. One is problems with intention (are they mallicous or not, this includes disgruntled employee's etc.) and the other is problems with competence (can they be relied upon to always follow procedure). In the former case, document control will probably only serve as a mild deterrent, but raising the bar doesn't hurts. At least you might have the chance to catch some employee trying to photo many pages of your sensitive data off their screen. In the latter case, document control can help quite a bit, and can serve as a deterrent against things like social engineering. Also, it seems you are assuming that all internal attackers have equal access to information, this is not the case. If employee's can make print outs and accidentally leave them lying around, throw them away, etc. it lowers the bar for an unprivileged internal attacker. At least if everything stays in electronic form a mallicous employee may have to attempt to tackle you computer systems access controls head on instead of simply rooting around in your desk. Clearly, document controls are not a silver bullet, but if used properly I believe they do provide a practical means of helping to restrict the propagation of sensitive information. --Tal --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]