mental characteristics of security
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: mental characteristics of security

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    165

    mental characteristics of security

    let's suppose you had to employ someone to protect your data, network, infrastructure, etc.

    you have narrowed it down to two candidates and both have roughly the same level of experience and background, and both are easy fits into the organizational community. the only distinguishing factor between the two is that candidate A tends to omit factors of threat logically, based on circumstantial evidence that applies to the current environment. while candidate B only discounts the possibility. who wins in your book -and- why?

    i guess i've heard too many {"no, this can't be done", "that is impossible"} type answers given to legitimate questions both here at AO and in the real world...and as always, i am confused about where they are coming from; and even moreso why they are supported. i'm not bitching or pointing fingers (most of it isn't even related to AO responses in particular) - just curious about the justification behind the elimination methodology.

  2. #2
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    just curious about the justification behind the elimination methodology.
    There are 3 people in 1 house.
    Person A is in kitchen
    Person B is in kitchen
    Person C is locked in the basement and doesn't have the key to get out.
    Person A is killed

    Who did it?

    Obviously Person B. Why, because Person C was in the basement......elimination methodolgoy. If something can NOT be done, then don't consider it....
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  3. #3
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    i understand the basic principle - we apply it every day...but in security when we rule out possibilities, doesn't it make sense that some things become more dangerous because they're not considered or overlooked? it's this type of thinking that perpetuates the exploit and catch-up game that the ummm. bad guys are consistently winning.

    for instance, i've heard from several sources here describing how spoofing full tcp communications isn't possible - or if it is then it's not considered spoofing. i won't draw a diagram, yet again...but it's the farthest thing from the truth. or that certain encryptions schemes can't be cracked. or that man-in-the-middle attacks don't work against SSL or any other type of certificate based security protocol.

    another recent event that illustrates my point to a 'T', is apache and ISS's approach regarding the chunked encoding vulnerability. even though the evidence was clear (ala monkey.org's tamperings) - the information released was that it was only a threat to certain systems (64bit) - and that in all other cases the vulnerability would result in typical DOS characteristics.

    i get it day in and day out from the security administrative side - and yet i and others prove them wrong on a continuous basis only to walk into work the next day and have them make the same claims with some other piece of the puzzle. definitive statement's at best hold temporary truths.

    without much detail with regard to your analogy...i'll do my best:
    was C always locked in the basement?
    were A and B always in the kitchen?
    which side did the lock face?
    who else had keys?
    what tools if any existed in the basement?
    were there any other means of escape outside of the locked door?
    is the room soundproof?
    is the locked door at the top or the bottom of the stairs?
    how much of a gap exists at the base of the door?
    is it large enough to fit a key through? what about a peashooter? or dart-gun?
    what is the relationship between A and B, A and C, and B and C

    these are the types of questions i would want asked rather than assuming the "obvious".

    as opposed as my views are, i'm not really against you, here souleman - i'm just trying to gain a better understanding of what i'm guessing is a consensus amongst sec admins. and at the same time offer my own view on security approach.
    -droby10

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    I simply believe that both methods come down to assumed preceptions. Neither is right nor wrong. One may start out through expierence use elimination methodology, it is based upon training, edu, and real world living and even the personal baggage a person may carry. Then we come to discounts the possibility, again the same factor assume that through your knowledge that the other factors you stated. A person at 25 precieves a world different that I say at 50. I simply believe one must employ both in security, and after you look at things it comes down to the nature of the person that may be a threat. Assume you have a goose in a bottle and you must remove it without breaking the bottle or hurting the goose. How do you get the goose out? This can be solved it is a question of assumptions and logic
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  5. #5
    Banned
    Join Date
    Jul 2002
    Posts
    877
    If I had to hire someone to make sure everything is running properly and the security is ok, I'd hire someone who doesn't act like a jerk, is well smart, some1 who isn't lazy, and someone who doesn't brag about the cool things they have done or put inside the network. Now as you can see you can go a long ways with someone who has a good personality and takes orders well.

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    259
    Everything comes down to the time=money equation. Sure you could hire a security expert to bolt down the computer make sure every nook and cranny is secure, but the users of the system would bitch about it (costing the company money cause they can't get their work done), it would cost more money because the "expert" would have to spend more time on it and it would piss alot of people off. While makeing sure the system is routinely patched and the currently exploitable vulnerabilities are fixed is much more ecconomical. I've said it time and again most hacks that occure are the admins fault because almost all of them use known vulnerabilities.
    Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.

  7. #7
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    palemoon, the voice of reason. i agree 100%.

    i'm more pointed in my views right now, because i'm finding myself increasingly frustrated with having to fight about the reality of possibilities - and then being the ******* who had to prove everyone wrong...simply because i can't sit still when people state "facts" that are nothing more that effects of conditions, which might or might not be susceptible to change. the typical response (and i've seen it prevalant here too) is "no, that's not possible. case closed."

    specialist, i don't know any jerks thus far - but i'll be sure to be on the lookout in my hypothetical question.

    personally, i like the one about the sound of one-hand clapping. it seems more fitting to my example anyway.
    -droby10

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Zepherin you nailed it it comes to time money producing a work product and up time on a network. Secure a network to much average workers have to many hoops to go through to get their job done. Network intrusion attempts you are on the internet it is a fact you will get hit, so it becomes a question of how much time and resources against the hits to a firewall and keeping an entire staff productive and the servers up. Most cases you block the IP and life goes on and one watches the log.

    Still no guess on the goose in the bottle problem it proves both sets of logic and that of assumption and human nature it is a Koan a Zen problem I did not invent it but know it's answer
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  9. #9
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    zepherin, the scenario i gave wasn't sufficient with regards to financial feasibility. your statements are correct. it does bring up an interesting point. is it your contention, then, that security admins, who are the more well-rounded, ideal choice in the business world, have the motivation (internal/external) to stay that way because of the business-related expectation/limitation of their job roles?

    Still no guess...
    what and ruin it...? the purpose isn't the answer - it's the path to get to an answer.
    -droby10

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    No guessing it is a logic problem yes the path to the answer is in assumed knowledge asking the two basic things you asked of logic from two prespectives become one and time = $ and also knowing your role in a company and the users one supports.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •