James Tucker wrote:
You're right with this scenario, of course, but I don't think that they meant that there was no room for physical protection in information security.This is not dissimilar from the discussion that, for example: Walk into the headquarters of a major business firm, you take the elevator up to the top floor as you don't have a keycard to get you in a lower level. It's lunchtime and the secretary at reception has left her desk. You are free to walk around the corner to the CEO's office (there are no physical barriers, as these would not "look nice" and would "impose upon business impressions". The CEO is a dear chap who forgets to lock his workstation when he goes to lunch. Where did all that hard effort of virtual security go? This is not an uncommon scenario. The stronger audits in the world fail you for this kind of possibility; again count yourself lucky in this regard.
I think they meant that you can't make a physical comparison to an information security structure. One can't actually, as an example, compare a firewall to a constantly burning facade.
Take a military base, for example. One can, if they were so inclined, use the military base as an example of a well secured area. You've got gates, gun emplacements, armed guards, many locked doors, cameras at the gates, razorwire, etc. Military gates are presumably well secured, right?
Well, you can try to make an analogy between this and a well-secured network. The problem is that the analogies don't align. A firewall isn't really like a gate with an armed guard at it. Your soldiers can't be turned into unwitting zombies by IE exploits. An IDS isn't really like a camera. System passwords aren't actually like locked doors.
The analogy can loosely be used to illustrate a point, but anything beyond very loose interpretation is virtually worthless because of its inaccuracy.
-Barry
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
