On Tue, 20 Nov 2012, Keith Lofstrom wrote:
A friend taught me that con men exploit smart people more easily
than dumb people, because there are fewer ways to be smart than
dumb, making smart people (and their blind spots) more predictable.
I am helping a friend set up security procedures for a business in a
highly regulated industry, with acres of forms and checklists and
standards that are supposed to result in secure systems. Many look
like brainfarts from academics working from unproven hypotheses, who
haven't collected the histories of real exploits, much less fought
an exploit themselves.
There are essentially three security tasks, each one more difficult
than the next:
1. Secure your network exposure.
Most IT work tends to begin and end here, but it's actually about the
easiest layer of security to get right. The mantras are well known:
defense in depth, timely patching, penetration testing, configuration
management, firewalls, intrusion detection, etc.
2. Secure your physical exposure.
Physical protection of assets is typically more difficult, if for no
other reason than it's expensive and the ROI will never be realized if
things go well. It involves storage crypto, really good locks and
alarms (or an isolated island headquaters), fire suppression, solid
electrical and network connections, insurance, tested
business-continuity and/or disaster-recovery plans, redundant
hardware, etc.
3. Secure your people.
This is easily the hardest security task, and the most likely avenue
for crooks, vandals, and other ne'er-do-wells. All the network
and physical security in the world won't keep employees from re-using
passwords, divulging sensitive information via phishing attacks (or
even on public mailing lists), using USB sticks of unknown origin, or
visiting web sites with malicious files.
Standarized security systems probably have standardized holes,
suitable for automated exploitation.
Good user training is the best response to attacks, automated or
targeted. Users who can identify and report suspicious e-mail
messages, service behavior, and even social interactions are the
difference between a well-administered network and a secure network.
--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
