Posted by Jerry Stuckle on 10/22/07 11:11

Puckdropper wrote:
> Jerry Stuckle <jstucklex@attglobal.net> wrote in
> news:8bednQcnusXVmIHanZ2dnUVZ_uninZ2d@comcast.com:
>
>> Puckdropper wrote:
>>> Jerry Stuckle <jstucklex@attglobal.net> wrote in news:46GdnfUzY-
>>> HIeYbanZ2dnUVZ_rWtnZ2d@comcast.com:
>>>
>>> *snip*
>>>
>>>> To be able to prevent something, you must have 100% security. And
>>>> that means, in computer systems anyway, 100% perfect code,
>>>> absolutely no access to the sensitive code, either via
>>>> communications link, physical access to the server or any other way.
>>>> There must also be no copies (i.e. backups) of the sensitive files
>>>> at all. And even then you're likely to have potential gaps in the
>>>> system.
>>>>
>>>> But how many systems do you know fit this?
>>>>
>>> Prevention is NOT about stopping EVERYTHING. It's about stopping
>>> SOME THINGs. You are correct that absolute prevention requires 100%
>>> effective security, but we're merely talking about stopping some
>>> attacks.
>>>
>>> Security, at its simplist, is about allowing access to those who need
>>> access and preventing access to those who do not need access.
>>>
>>> Puckdropper
>> Ah, but it is. If you prevent something, you have stopped it.
>> Period.
>> Stopping "some" break-ins is not prevention.
>>
>> What you are talking is deterrence.
>>
>> And security is about deterring what you can - and minimizing the
>> damage for those you can't.
>>
>
> I'm afraid we're using different definitions.
> Prevent: To keep something from happening; to keep from doing something.
> Deter: To prevent or discourage someone from acting by arousing fear,
> uncertainty, intimidation, or other strong emotion.
>
> Source: Webster's Dictionary (c) 1991
>

When used by security professionals, it is known as deterrence. They
never talk about keeping intrusions or other breeches from happening
(prevention), because they know it's impossible.

> It appears you're using the first part of "prevent", stopping at the
> semicolon. I'm using the second part of the definition, so by stopping
> one, you have successfully kept someone from doing something, and thus
> prevented it.
>

I'm using the same terminology security professionals use. And claiming
prevention is not one of them. Rather, they claim deterrence not
necessarily by fear, but by making it harder to break in so that hackers
will go further.

Maybe not an exact Webster's 1991 definition. But every profession has
it's own argot, also.

I just got a note from one of my friends who's in government security.
In part, he said:

"You are correct, Jerry. We are told to never use the words prevent or
prevention when talking about security."

> I'm not quite sure where "deter" comes in. It appears you're using it to
> imply the second part of "prevent", but in computing security there need
> be no emotion.
>
> Puckdropper

Security is always an emotional issue with customers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]