On Wed, Apr 17, 2013 at 7:52 PM, Ken Schaefer <[email protected]> wrote: > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Subject: Re: On the subject of security... > >>>> No running executables from untrusted sources, turn off scripting in >>>> my browsers, view all email as plain text, no remembering/caching of >>>> passwords in browsers, using a unique password per web site and per >>>> other accounts, regular clearing of cookies, no linking of accounts >>>> between web sites, running current AV, no browsing with elevated >>>> accounts, laptops have full disk encryption, etc., etc., etc. >>> >>> Without an evaluation of risks, this would be a complete waste of time for >>> most people IMHO. >> >> Sure - if you don't browse the Internet, share USB sticks, etc., you >> probably don't need to do those things. > > But I do browse the internet, and I do share USB sticks. Yet I don't do most > of what you list above. > > Everything is about /management/ of risk, not 99.99% avoidance of risk.
You manage risk by taking countermeasures, I believe, not by ignoring them. To me, your approach sounds like ignoring, not managing. But, as you point out, it's a matter of what makes you comfortable. > Just as people don’t live in impenetrable fortresses, and keep their money in > Fort Knox, > it's not actually necessary (or even desirable IMHO) to do some of things you > do to > have an acceptable level of risk. The marginal benefit from each additional > step you are > taking vs. the cost to usability and time taken isn't worth it (again, IMHO) Well, yes, of course. My firearms are in a safe, and so are my most valuable, irreplaceable papers - which are just about none. >>> I run as an admin on my personal machine. I don't bother reading all mail >>> in "plain text", >>> and I don’t full disk encrypt all my machines, and I don't clear my >>> cookies. I've got better >>> things to do with my time, and if I focus on protecting my identity and >>> data instead, I'm >>> probably just as likely as you to be "safe". >>> >> So, care to share how you protect your identity and data without any >> technologies or processes? > > Let's be clear - I'm not saying "I have no technology, and my strategy is to > rely on magic". > > I start by worrying about what my family needs/wants to be able to do, and > then what apps and > data we need to do it, and then work out what the threats/risks are. You can > draw a parallel to > business -> info -> technology architecture from TOGAF or similar framework > if you want. > Malware and hackers getting into my home network is probably about half-way > down the list at the > moment. Additionally, instead of inconveniencing end users with restrictions > on either user experience, > I want technology to work in the background to protect us (if possible). So, > we use 802.1x for our > wireless since we're all on an AD domain, and SOHO APs all support it now > (there's a guest wireless > network for visitors), and I use centralised malware scanning on the Exchange > server. I'm researching > some options for outsourcing the malware/junk scanning for incoming (it's a > pity that Postini doesn't > seem to be available anymore) > > But things I worry about more are hardware failure, lightning strikes (had > two of those in two different > homes), being burgled, having a fire or something else similar that destroys > things. > > The information I worry about protecting isn't just what's > electronic/digital, but also paper records, > passports, birth certificates and so on. > > So, it's starting from a different starting point. It's not starting from > "you should encrypt your disk, delete > your cookies, run as a non-admin". It's starting from "what types of > critical/important/throw-away data do > I have in order to live/work/interact with friends", and then what are the > risks to that data, and what can I > do about it. And weigh all that against usability > > So, I'm not particularly worried about someone getting access to the password > for the media centre PC's > default user account. I'm more worried about that account somehow getting > logged out, and whoever is > using our media centre not being able to log back in again. I mitigate the > risk of people knowing the > password doing something bad by restricting what that account is allowed to > do. Likewise I want to be able > to share things with my family overseas, bank online and do various other > things - at the same time without > impacting my user experience significantly, so I take other measures to help > reduce risk: I get notifications > for purchases on my CCs over a certain amount. Most of my banks require (or > at least offer) 2FA for > authentication now. Etc. While I agree that the account(s) on your media server aren't a big deal, that's only to the extent that they don't have the same passwords as accounts on other machines, or have access to valuable data elsewhere. 2FA is good for your financial accounts, and also good backups and physical protection - all of which I strive for as well. I've had my house burgled (not this one, my previous one, about 11 years ago, while I was selling it.) OTOH, I think you seriously underestimate the risks of web browsing to your finances, identity and reputation, and also the costs of repairing them. But that's your call, and I'll pay the extra time and effort for more peace of mind. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
