----- Original Message ----- From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 30, 2001 9:32 AM Subject: Re: [ISN] Commentary: The Threat Of Microsofts .Net
> Forwarded from: John Ellingson <[EMAIL PROTECTED]> > > In a message dated 10/26/01 5:06:08 AM, [EMAIL PROTECTED] writes: > > << Suppose somebody breaks in. Everyone's personal and financial > information would suddenly be in the hands of the intruders. Or > worse--they could be scattered about in a series of resulting > malfunctions. The extent of the financial, social, and political > disaster that could result is hard to imagine. >> > > The real risk isn't someone breaking in. While the focus of this group > is on security and most of us work in the digital world, the greatest > risk is still some form of social engineering. Approximately 80 of all > losses/unauthorized access occurs from inside the firewall. It comes > from people who have previously had access, but it was never turned > off, or someone who is bribed, or has a grudge, or is otherwise > motivated. Those of us in the security business have a duty to look at > system security as a whole. That does not mean just device to device, > it means including all users and it crucially means an assumption that > not everyone will follow the rules. > > If I could offer a classic example: We all know that identity fraud is > growing by leaps and bounds. It is doing so because we enable it. We > enable identity fraud through some of the very schemes and technology > we use to provide security. Identity fraud is enabled through the use > of PKI, encryption, digital certificates, over reliance on credit > reports and the dangerously false assumption that one identity must be > attached to one person and that person matches the identity. > > We continually design point solutions, each one a link in the security > chain. We defer to some integrator or our customers to assemble the > chain. But as we all know, no one provides a complete chain or even a > design for the complete chain. Security that is either just a bunch of > unconnected links (weak or strong), or a linked chain that is one link > short of a connection, is no security at all. > > We live in a world that has digitized the paradigm of business that > existed in the 50s. In the fifties businesses knew their customers and > would recognize them on the street. Today most business wouldn't > recognize their customers face to face. Yet, we have not changed our > underlying basic assumptions. > > We cannot build a truly secure environment out of patches to an > obsolete paradigm. > > > John Ellingson > CEO > Edentification, Inc. > ||||# > |||||| > |||||| > > - > ISN is currently hosted by Attrition.org > > To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY > of the mail. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
