If the industry is highly regulated, you may not have a ton of choice in the matter. You may have audit requirements that need to be met whether you like it or not for things like PCI or HIPAA.
I think defense in depth is a very important concept. A lot of people do rely on the same products and solutions, that's true. Hopefully your security design doesn't put you in a position where one standardized hole leaves you too vulnerable. Rich On Tue, Nov 20, 2012 at 11:58 AM, Keith Lofstrom <[email protected]> wrote: > A friend taught me that con men exploit smart people more easily > than dumb people, because there are fewer ways to be smart than > dumb, making smart people (and their blind spots) more predictable. > > I am helping a friend set up security procedures for a business > in a highly regulated industry, with acres of forms and checklists > and standards that are supposed to result in secure systems. > Many look like brainfarts from academics working from unproven > hypotheses, who haven't collected the histories of real exploits, > much less fought an exploit themselves. > > Standarized security systems probably have standardized holes, > suitable for automated exploitation. Instead, should we > construct vivid and instructive stories, and count on the > creativity of end users to develop and elaborate a varied > (and difficult to exploit) set of solutions? > > Or do semi-informed people tend to make the same predictable > mistakes more often than standard security procedures result > in widespread identical holes? > > Build a kludge, or buy a black box? > > Keith > > -- > Keith Lofstrom [email protected] Voice (503)-520-1993 > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
