|
|
Posted by Jerry Stuckle on 10/21/07 23:36
Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>
>> Gary L. Burnore wrote:
>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>>> <jstucklex@attglobal.net> wrote:
>>>
>>>
>>>> Security is not about prevention,
>>> WHAT? What a complete and totally moronic thing to say, Jerry.
>>>
>>> Security is about many things of which prevention is one.
>>>
>> No responsible person in the security field will ever claim that.
>
> I'm a responsible person in the security field and I claim that. I've
> been taught that and I teach that. That being that many things make
> up good security. Prevention is one part of security.
>
If you claim obscurity is security, then that's debatable. I hope your
E&O insurance is paid up and it covers negligence on your part.
I've got some friends who are in the security business. These are guys
with clearances higher than Top Secret. They are responsible for
security of some very sensitive government systems. They can't tell me
a lot of details because I don't have a sufficient security clearance.
But one thing they agree upon - is that obscurity only gives a false
sense of security.
>
>> There is no such thing as "prevention". That would indicate that
>> something can't happen, which is impossible to do.
>>
>> For instance, banks have been trying to prevent robberies for hundreds
>> of years.
>
>
> Banks prevent you, as an employee, from seeing all the things
> necessary to get your hand on the data of a user. Does it work all
> the time, no. That's where forensics come in. But if you don't
> prevent it at all, you open yourself (yourself being the bank) to
> lawsuits from customers, fines from FICA and harassment from auditors
> for SOX.
>
They make it harder encrypting data, for instance. But they can't
prevent it. If it's possible ANYONE to get into something, it's
possible for the WRONG person to get in there, also.
And forensics is after the fact. It has nothing to do with either
security - other than a good system will audit access for later analysis.
>> At no time will a responsible security professional claim anything about
>> preventing break-ins.
>
> Right. That's why banks don't use firewalls, don't use encryption,
> don't use secure keys, etc.
>
> Stick with coding, J. You obviously know little about security.
>
And none of this prevents a break in. It just makes it harder.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|