"Jason Bethune" <[EMAIL PROTECTED]> wrote: > As a newbie....to the list....I am just curious...do viruses not propose a > security risk? I am not taking sides just asking a question so I can get > proper information.
Viruses, Trojans, and most other forms of what is nowadays more loosely known as "malware" primarily pose an integrity risk, and availability, access and integrity are generally the three foundation stones of "computer security". Arguably, in a modestly well-designed computer system, integrity concerns reduce to "the HR problem" (i.e. how do you select, as employees, sufficiently honest and reliable folk). Unfortunately, most computer systems in operation today (and virtually all such "on the Internet") assume (quite incorrectly) that, at most, suitably defining discretionary access controls also resolves the integrity problem. In fact, these issues are orthogonal, or at least nowhere near as close to parallel as that practice suggests. As most systems are implemented with very little (in fact, usually _no_) system-administrative control over the code that runs on them, the integrity "problem" is, in fact, entirely ignored. (Further, the general ignorance of this and push toward the "convenience" of allowing the _user_ to decide what "new" code can or should be run drives a lot of ongoing code integrity management problems, including the problems posed by viruses and related malware...) So, the short answer to your question is "Yes, viruses are a security issue". The longer, and much more accurate, answer is that "as modern computer security practice and training tends to ignore the actual basis of and type of threat posed by viruses, viruses are not really addressed as a 'security problem' although they will usually be labelled as such". (Or, "avoid the marketing hype".) This may not seem like it helps much -- if not, try to make sense of Fred Cohen's early work as I am only repeating part of what he first said close to twenty years ago. If you do get a handle on Cohen's work you will understand what I am saying and be conceptually ahead of 95%+ of the "experts" out there (who will continue to not understand this). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
