Dan Parsons wrote:
> I feel you've not. You're simply equating "increased service visibility"
> with "bad security". If this were the case, every bank would be robbed
> daily, and seedy liquor store owners wouldn't be infamous for keeping a
> shotgun behind the counter.
It really has to do with the definition of "security".
Security risk is the balance of the equation Threat x Vulnerability x Cost.
In this case, you always increase "Threat" when you advertise the
possibility of a "Vulnerability". This goes equally with Bonjour or UPnP.
So, in your example of a bank, the vulnerability is someone walking in
with a shotgun (and a hand written note :) ). The threat is increased
in the fact that they have to advertise they exist to get customers.
The cost is the loss of funds. They can't reduce the threat, without
losing business. So, in this case they do nothing on that part.
They reduce the vulnerability by getting alarm systems, guards, and
monitoring.
They reduce the cost by getting insured.
For a computer, it is very difficult to reduce the vulnerability,
outside of removing the service. So, you can reduce the threat by not
advertising what you have. You can also reduce the cost, by not storing
important information on the machine.
--
END OF LINE
--MCP
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
