|
-
April 6th, 2004, 02:50 AM
#30
Since you are AGAIN taking things off course, I'm just going to reply to the stuff that is actually on topic to the thread.
Originally posted here by catch
[...]
Again, I didn't tell the user what to do, I clarified the hype about firewalls not being the cure all security fix in every situation.
Yes, you did give your opinion.
It is important to only add counter measures in response to threats that justify them, in this instance, I don't see that being the case.
.
And how are they supposed to ever get educated if everyone constantly pitches thoughtless solutions at them.
Who is pitching the thoughtless solution? You are saying the OP's data isn't valuable enough to warrant protection. The OP asked a question, and IMHO you answered it in a rather high-and-mighty ignorant fashion.
If by that you mean, my home system, my family memers' (including grandmother's) home systems, all of my friends' home systems, the system incorporated at a large number of corporations and non-profit agencies around the world... then yes... if you mean all that, then I confess, I have just been trying to derail this conversation with those exotic, useless, non-real world systems.
Detail how you secure the home systems for someone utterly unrelated to you to whom you have no guarantee of control over? System administration policies only go as far as the control of the body which sets them.
This is absolutely true. Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure. It is a mathematical fact.
Explain how an app. firewall DOESN'T alter the security of the system.
Well I'm glad to see this thread isn't getting overly personal.
but the truth of the matter is that computer security at any level is broken down into the following:
1. Risk (add up assests, calculate threats, predict exposure, calculate total expected loss, research counter-measures, compare their cost to their reduction in loss, take the cheaper choice)
2. Policy (implement counter-meausres and determine how to utilize the counter-meausres on what, classify and label your assets/objects and your users)
3. Accountability (ensure that subjects are identified to the system and audit the system to ensure the policy is being maintained)
4. Assurance (track relevnt changes in risk and repeat the process as needed)
In a home system all of these steps apply just the same as they would for a missle launch control center. The only difference is how comprehensive and formalized they are. All of us do these things all the time on our systems and never even think twice about it.
All I did in this situation was inform the poster of a more efficient counter-measure, I didn't alter his policy.
If you reread the last sentence of your first post, it sure makes it sound like you are trying to alter his policy.
IS security is a spectrum, always about finding the most efficient solutions. If you could run KSOS and still use your computer the same, and the cost of opertion was actually reduced. Would you run it?
Of course. The example is however irrelevant since the situation is not such, and it is an extreme whose sole purpose appears to be to distract from the facts.
Or would you just assume that it was used for things of high security so it isn't appropriate for this situation?
The comercial security world takes advantage of users' ignorance, they use lots of fancy keywords and bells and whistles, they are confined by the fact that they need to sell products that the user has some basic conceptual understanding of.
While I agree in essence with that, the issue is not one of either the fault of the commercial industry, nor the lack of willing user educators. It is a lack of users who are willing to be educated. It would be best if Highschools started impressing upon kids how to secure their boxes so that a coming generation understands the basic principles so many of us wish users understood. Such is not the case unfortunately.
Users don't need to understand how the technology works, they just need to know how to be productive within it, but they want to know... this means that the majority of comercial products have to be dumbed down to the level of someone that knows nothing about IS security. The Military and their standards which have filtered into many COTS systems are not saddled with the same problem. They are simply the best.
I'm not arguing that, as I said before, this is more about the USER. Going against conventional wisdom simply because conventional wisdom doesn't apply to your particular field of work doesn't mean you are right. There is a reason conventional wisdom exists, and why so many refer users to these sorts of applications. The vast majority of such users -- as you accurately point out -- dont have any interest in HOW something works, but rather the easiest way to work with that something, be it an Office suite, an email client, etc..
"See, that's the thing, he ISN'T right on any level, considering the data given, and the situation being asked about, Catch is dead wrong"
I am sure you can see why I misunderstood what that was stated as a reply to "Catch has his points and he is right on a "higher" theoretical level."
Yes, I still agree with that statement, with the situation and data given, I think you are wrong.
If you are interested, it would be fun... if for nothing else I'd be curious to see the feedback on it. It'll need to happen sometime this week/weekend though. I have a system in mind, Windows 2000 no less, let me know if oyu are interested and I'll tell you the setup I'm willing to offer.
Just this weekend? Damn, I do have a life, as much as I may not seem to.  But sure, pm me the details, or just PM me and I will give you my email address. I would like to give it a shot. I just want to be clear, I'm all for hardening a system, and I know it can be an effective defese. As I see it, for your average home user, that is asking a lot of a crowd of individuals who are by and large relatively new to life with a computer, let alone on the internet.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
