Ben Nagy wrote:
>
Hi Ben,
> I do, however, dispute your optimistic claim that there could be a
> successful action brought in more than maybe one case in thousands.
As someone pointed out to me in an earlier, similar thread, sometimes
you lose even if you win. An e-business with deep pockets that is brought
down for a period of days has a lot of legal resources. The resources
required to defend against such action and the resulting publicity can be
damaging, even fatal, regardless of the outcome. Remember the old saying
about being "dead right". :)
> I'm not
> even going to start my rant about how you chose a litigious argument instead
> of the simpler and more compelling ethical equivalent (you shouldn't leave
> yourself open because you could be used to damage someone else).
I didn't choose it. I just offered it as a consideration to someone saying a
business case may decide that security was unnecessary. While you and I
understand the desirability, even the necessity, of being good net neighbors,
shareholders may not hold such a concept in such high regard without added
incentive.
> I'm just saying that there is a big, wide gap between what most people
> acheive when they install a firewall and "get security" and a Secure
> Network. I'm not hardline enough to believe that the majority of networks
> should be "secure" - it's too hard with the tools that exist today and the
> position on the security / utility curve is too extreme for any but the most
> paranoid.
I agree that "secure" is a vague and idealistic term. However, I would think
the following actions might be considered due diligence:
a) regular application of patches
b) regular vulnerability scans
c) AV software
d) security awareness program including some expectations of personal
responsibility for keyboard actions
These are not complicated, expensive, or constrictive. And I'm not saying
they have to be perfectly implemented.
I think the following slide tells a lot of the story:
http://www.cert.org/present/cert-overview-trends/sld084.htm
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
