how much is enough?

[shaded3l33t]

How much security is enough? Is it worth the electronic equivalent of the presidental security squad to protect the local phone directory on your harddrive; obviously not, but when does the buck stop?

[skiddieleet]

That is like asking how much money is enough? I guess when you feel secure it is enough, although that is a very bad thing to say. If you go out and download every exploit known to man and run them against your computer, and nothing happens, then I would say you are almost secure. New vulnerablilies are always going to be discovered so you can never have enough security because your security will always become outdated at some point.

[MicroBurn]

I'd say there is no such thing as "enough security" as h3r3tic said there are new expliots, virsus ever single day for many different programs, and alot of the time, firewalls arn't enough, I'd say it's best to always be looking for ways to secure your self both phycially and other wise.

PS. I do believe LoggOff is working on a tutorial on physical security for Unerror.net I'll post the URL to it, once it is finished.

MB

[D0pp139an93r]

Enough would have to depend on the system. As has been constantly mentioned throughout posts on this site, there is no way to completely secure a system except for completely shutting off power.

In my opinion, a personal system with a good firewall, current AV, and all necessary updates is secure "enough." There is no way to stop a dedicated (as long as they are skilled) intruder. Eventually they will find a way.

[ommy]

well i agree with h3r3tic and D0pp139an93r ... Nothing is safe in this world..every new day the sun rises with someone's eyes thirsty for sleep, working all night, resulting in some new discovery and that could be a security threat like MS Blast or Sobig.F.. Sometimes, i just think that people have such a great passion for this subject, and it excites me. I believe that this subject will keep on progressing every passing day. Hats off to all nerds out there, they are the one who put their blood and sweat in the field to make it a moving on.
In a nutshell, nothing is secure coz there is no limit to human intelligence, I believe.

[disc0rd]

Capitalizing the point on what everybody has said in this thread....
THERE IS NOT A PINNACLE POINT OF SECURITY
This also goes without saying that ignorance, in this case, is not bliss. Ignorance can definately hurt you.

[MrLinus]

Actually, it's often said that once the security costs more than the risk (usually determined in a risk analysis). There are some values that can be used to determine the cost of the risk (SLE and ALE) and if the cost of the protection are beyond that (say the risk is only $500 but it costs $1,000,000 to protect) then the cost isn't worth it.

Single Loss Expectency(SLE) = Asset Value(AV) X Exposure Factor (EF)

Asset Value = the value put on the asset. Can include but not limited to hardware, software, admin time to bring back into operation, data value (hard to estimate in value)

Exposure Factor = the % of risk to the asset (aka, how great will this impact on the asset). e.g., a virus will only do 50% damage

SLE = basically, what I can expect to lose in a single event or attack. (remember that events include things like fires, theft, terrorism, viruses, user stupidity, etc. It is whatever will stop a server or other asset from doing it's intended role)

Annual Loss Expectency (ALE) = SLE X Annual Rate of Occurance (ARO)

SLE is explained above.

Annual Rate of Occurance = how often in a year will this happen. The values go from 0 (never) to 1 (every year). e.g., Windows users have an ARO of 1 for viruses; Unix users might have an ARO of 0.01 (it may happen but extremely rare).

ALE = if this occurs every year, what will it cost us? This can be more or less than the ALE value. The cost of protecting the asset yearly shouldn't be too much greater than the cost of experiencing a loss.

Hope that helps.

[tfunk]

MsMittens is 100% correct. That is the way to determine "How much is enough"