|
|
Posted by Jerry Stuckle on 10/21/07 18:05
Gary L. Burnore wrote:
> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>
>
>> Security is not about prevention,
>
> WHAT? What a complete and totally moronic thing to say, Jerry.
>
> Security is about many things of which prevention is one.
>
No responsible person in the security field will ever claim that.
There is no such thing as "prevention". That would indicate that
something can't happen, which is impossible to do.
For instance, banks have been trying to prevent robberies for hundreds
of years. Nowadays they have CCTV, armed guards, vaults, silent
alarms... the list goes on. But they still get robbed. Because there
is no "prevention".
As for computer security - the only way to "prevent" someone from
accessing a server is to disconnect it from all communications, seal it
in an RF proof room and run it off batteries or other local power. But
there's still the possibility of someone breaking into the room.
>
>> just like there is no way to prevent
>> someone from breaking into your home. There is no such thing. What it
>> is is about identifying undesired ways of accessing your files and
>> limiting the effect of exposure.
>
> Limiting exposure is one form of prevntion, Jerry.
>
No, limiting exposure is not about prevention. It's about minimizing
loss when something does happen.
>
>> It's just like locking your valuables in a bank vault to limit your exposure if someone breaks into your house.
>
> Not exactly, but you're close. You might be good at programming but
> you're really bad at security or at least bad at explaining it.
Not at all. It's exactly what security about.
Security professionals are paranoid. They assume that a break-in will
occur. What they do is minimize the holes someone might get through.
But more importantly, they minimize the effects if and when a break-in
does occur.
At no time will a responsible security professional claim anything about
preventing break-ins.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|