On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <[email protected]> wrote: > Hi, > > Then you should turn of all your computers, encase them in concrete, and > launch them into outer space - and into the Sun. That is the best way of > stopping anyone compromising one of your machines.
Got to love the straw man argument. > Having a non-domain joined SQL Server in your DMZ is far less secure than > that. Than what? Launching it into the sun? You conveniently ignore that I said "when you know there are better ways", and the > Hint: go and read some books on security first. *All* security is risk > mitigation. > For example: that's why we still have passwords that are only "x" characters > long, > rather than "x + 1" (where x is any number less than infinity). I have read security books, and keep up with Full Disclosure, FW Wizards and several other lists, as well as monitoring isc.sans.org. And you exaggerate again. We have passwords that are 'x' characters long (I tend to use 20+ character passphrases myself) because the effort to crack them is, so far, infeasible, due to the lack of rainbow tables of the size necessary to do so, and the lack of time to brute force them before I change them. If firms (such as my own work, I'll admit) are so foolish as to ignore this limit, then they will likely suffer for it, and deserve to do so. > Everything in security is about: > a) analysing what risks you face, > b) working out what the likelihood of it eventuating > c) working out the cost of the likelihood eventuating > d) working out the cost of making the risk go away > e) working out whether it's cost effective to implement (d) given (a)(b)(c) It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, "risk mitigation" is a mantra that has gone way too far, in the relentless pursuit of cost and effort savings. The above recommendation to turn a firewall into a safe passage for intruders is a prime example. > That is why a national government has a far more secure, cumbersome network > than your average business. Because the risks are different. Oh, yeah - that's worked out well, hasn't it? I believe you have that problem by the wrong end of the stick. National government networks are more cumbersome, and not more secure, in the main. That's because they're, wait for it, run by bureaucrats. They danced the risk mitigation dance, and we got wikileaks, infected thumb drives, virus infestations on supposedly secure networks, and all manner of silliness. > That why we don't all blithely implement the same way of doing things. > Because doing > things *costs* money (whether that be products, convenience, productivity etc) And doing them intelligently costs less money than doing them stupidly. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
