I said high security, none of those are high security systems. The loss by those attacks is insignificant, and consequently so were the countermeasures protecting them
1. Bush is an idiot.
2. This deals primarily with securing commercial systems.
3. This features no introduction of new policy against high security installations, and is consequently off topic.
Quote:
So you are saying that as long as nothing critical (which is certainly not what was indicated by SOME of the links I linked above) is done, there is no security problem? No home user has anything classified on their system, so why bother securing it? Is that your stance?
If you read the document I posted, it clearly states that so long as the ALE is less than the cost of the countermeasure, the risk will go unmitigated. In none of the attacks you mention, was classified data disclosed.
Quote:
The titanic was unsinkable too. Saying that government security is obviously perfectly good because it's 'not wasted on public webservers with nothing to protect' is merely saying that they have achieved security through obscurity, and haven't been put to a constant, real live test.
Security is simple math, it has nothing to do with user testing. High end systems use finite state reference monitors, these are of course... theoretically impossible to crack.
Why don't you actually read my document on risk management that I posted in the last thread, and questions like these will be answered.
Quote:
So what? Wow, you can tell you have either been contracted to or directly employed by government. You are talking serious breaches in security, and saying they don't matter because they aren't "super duper top secret".
Aren't even classified. Corporations and banks work the same way... why not go familairize yourself with ISO17799/BS7799? All these questions would be answered.
Quote:
Tell any of the engineers at NASA who worked on the design, that someone came in and stole the plans for their shuttles (which could potentially be in the hands of various private commercial spacefaring endeavours), and then tell them it is all irrelevant.
The classification of that data was up to the data owners, if they felt it was more important, it would have been protected. They felt no point in wasting unneeded resources.
Quote:
They'll have a VERY different view of the situation, as would your average home user.
That is why data classification isn't their job, that kind of emotional attachment is unproductive, and home users are allowed to classify their own data as they see fit, provided their systems have labeling capabilities.
Quote:
What you classify as important is not what others classify as important.
It is up to the data owner, they are they one's who establish the initial classification. (this is very, very basic IS security stuff here... not like I'm breaking new ground.)
Quote:
Someone is asking if it is worthwhile, and you tell them no based on your definition of the importance of THEIR information.
I didn't give advice, I explained what firewalls are intented for and when they are not needed.
Quote:
Fortunately not everyone approaches the issue with the pompousness you do,
Nor the level of a community college education in IS security as you do.
Quote:
and in the spirit of actually trying to HELP the person out, rather than deem them unimportant, have dispensed the kind of information they might find useful. This applies equally to a home user. The important thing is they have deemed their data as important.
Again, I didn't tell the user what to do, I clarified the hype about firewalls not being the cure all security fix in every situation.
Quote:
That is a matter of opinion now isn't it? If NASA didn't think they were valuable, why not give them away as mail-order pamphlets on their site, why make ANY effort to protect the data at all?
This is where fine granulairty of control comes in, something totally foriegn to those from Linux world.
Quote:
You are correct, I miswrote that. The point is no less valid: The security guidelines developed by the U.S. government have been noted time and again to be subpar (even by the government's own security panels).
When a hacker launches nukes, then you can tell me how subpar it is... the only thing you are arguing as subpar is the classifications given to the data, not the protections availible.
Quote:
You said it yourself, the networks are all closed, private, inaccessible through any means to the Internet. That makes them an isolated place, hence "out in the wilds" does not apply.
When did I say that? If military systems (like silos, and submarines, and bases) communicate with each other... then there must be a way to access them remotely. My response about out in the wild is that ALL technical commercial security standards are merely detuned versions of DOD/MIL standards. That is the real world.
[quote]I find it kind of ironic that "those people will set [me] straight", yet they require me to register to even browse the whitepapers they have there, which are by and large managerial in nature, and detail specifications on how to prepare individuals to learn about security vulnerabilities. All the technical-sounding documents I was able to find provided me with this lovely message when I tried to view them with my "limited" access account: *Your present login: chsh does not have access to this feature.. They have no interest in setting me straight, or if they do, they want to see my money first. Amusingly, SANS is nothing like Television -- you don't have to pay anything to get access to some of their information, only to become certified.[quote]
They don't want just anyone to come along and be stupid. The fee is nominal and goes to a good cause... but requiring payment information allows for more binding user agreements and fewer "trolls" I believe they are called. If there are any documents you are interested in, kindly let me know and I will gladly forward them to you.
TV is also free, free and full of commercials. (unless you want good TV which at first has more channels and then the premium stuff is no commercials either.)
Quote:
This has absolutely nothing to do with Linux, and everything to do with the knowledge level of your average user.
If he is a newbie, he should have posted in that forum, things like honeypots are advanced topics. I am not a mind reader, nor will I attempt to try.
Quote:
Unfortunately, the majority of users out there do not have the understanding and capabilities of someone as versed in the technology as yourself. You seem to be unable to comprehend this simple fact.
And how are they supposed to ever get educated if everyone constantly pitches thoughtless solutions at them.
Quote:
You continually derail this thread to discuss your government ultra-secure system,
If by that you mean, my home system, my family memers' (including grandmother's) home systems, all of my friends' home systems, the system incorporated at a large number of corporations and non-profit agencies around the world... then yes... if you mean all that, then I confess, I have just been trying to derail this conversation with those exotic, useless, non-real world systems.
Quote:
and are totally dodging the whole point of this: The user who asked how to make their system MORE secure. From your argument, it seems to me that you believe a computer with an app. firewall is LESS secure "out in the wilds" (unfamiliar territory to coddled government systems) than one without one.
This is absolutely true. Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure. It is a mathematical fact.
Quote:
I have not yet spoken of how your government is run, and how policies are set, nor do I know all the various and sundry technologies that go into securing "Top Secret" government systems, I imagine they are quite extensive. I do not pretend I know the systems, and as such do not speak of them. It is rather evident to me that you are in a similar position when discussing the home user, or small business, etc..
I respect your candor, but the truth of the matter is that computer security at any level is broken down into the following:
1. Risk (add up assests, calculate threats, predict exposure, calculate total expected loss, research counter-measures, compare their cost to their reduction in loss, take the cheaper choice)
2. Policy (implement counter-meausres and determine how to utilize the counter-meausres on what, classify and label your assets/objects and your users)
3. Accountability (ensure that subjects are identified to the system and audit the system to ensure the policy is being maintained)
4. Assurance (track relevnt changes in risk and repeat the process as needed)
In a home system all of these steps apply just the same as they would for a missle launch control center. The only difference is how comprehensive and formalized they are. All of us do these things all the time on our systems and never even think twice about it.
All I did in this situation was inform the poster of a more efficient counter-measure, I didn't alter his policy.
Quote:
You cluing into the fact that just because you know how to use a hammer REALLY well, it does NOT mean that every problem is a nail.
IS security is a spectrum, always about finding the most efficient solutions. If you could run KSOS and still use your computer the same, and the cost of opertion was actually reduced. Would you run it? Or would you just assume that it was used for things of high security so it isn't appropriate for this situation?
The comercial security world takes advantage of users' ignorance, they use lots of fancy keywords and bells and whistles, they are confined by the fact that they need to sell products that the user has some basic conceptual understanding of.
"Firewall, it's like a digital moat." "Oh ok!" another sale
"Mandatory Access Controls, it's like an apartment building... where wait that doesn't work... well you see data can only be written to the same higher levels of security within the confidentiality model and read at the same or lower levels, but then the integrity model is the opposite, but sometimes you have a situation that calls for the tranquilty property and then you can only read and write at the same level within both security models. Sometimes you need to violate this model so the system is provided with a few trusted agents for various tasks as well." "Um..." "Now I know what you are thinking! What about covert channels? Our system monitors both data and timing covert channels to an accurace of...." Clearly... no sale is gonna happen.
Users don't need to understand how the technology works, they just need to know how to be productive within it, but they want to know... this means that the majority of comercial products have to be dumbed down to the level of someone that knows nothing about IS security. The Military and their standards which have filtered into many COTS systems are not saddled with the same problem. They are simply the best.
Quote:
I already did, and was unable to access any of this information. What you seem to fail to understand is I'm not saying you are outright wrong, but rather you are wrong as applies to this situation.
"See, that's the thing, he ISN'T right on any level, considering the data given, and the situation being asked about, Catch is dead wrong"
I am sure you can see why I misunderstood what that was stated as a reply to "Catch has his points and he is right on a "higher" theoretical level."
Quote:
I will? I'd be intrigued to say the least. Is that an open offer, or an out-of-hand insult since you wouldn't ever set such a situation up?
If you are interested, it would be fun... if for nothing else I'd be curious to see the feedback on it. It'll need to happen sometime this week/weekend though. I have a system in mind, Windows 2000 no less, let me know if oyu are interested and I'll tell you the setup I'm willing to offer.
catch
