Educause Security Discussion mailing list archives
Re: Administration of PCD DSS Program
From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Wed, 13 Mar 2013 09:46:03 -0400
I don't understand what you are trying to say with these URLs. Is it that somehow these hacks happened as a result of open discussions? Or are you just saying that hacking is possible? Or something else entirely? Cheers, Harry On 03/13/2013 09:17 AM, Mitcham, Zachery S. wrote:
http://tech.mit.edu/V132/N62/hack.html [cid:image001.gif@01CE1FCB.9B8A0920] Zachery S. Mitcham, MSA | Information Technology Security Officer| Information Technology Systems (ITS)| 910 962 3047|mitchamz () uncw edu<mitchamz () uncw edu%20> | http://www.uncw.edu/itsd/about/ITS.html |UNC Wilmington | 601 South College Road | Wilmington, NC 28403-5616<x-apple-data-detectors://3> "Security is Everyone's Business" [cid:image002.png@01CE1FCB.9B8A0920]<https://asktac.uncw.edu/> AskTAC for self-service solutions and immediate assistance! (https://asktac.uncw.edu/) NOTICE: Emails sent and received in the course of university business are subject to the North Carolina Public Records Act (N.C.G.S. ยง132-1 et seq.) and may be released to the public unless an exception applies. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Schiller Sent: Wednesday, March 13, 2013 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Administration of PCD DSS Program Actually there are two different schools of thought here. They address different issues. 1. Your security should not depend on obscurity. 2. Defense in depth, you shouldn't give the adversary any advantage. They are not necessarily in conflict. [1] is primarily targeted at developers. As developers your code's security shouldn't depend on the source remaining secret. Because quite frankly, the bad guys will get a copy and if you hide "secrets" in your code, your code probably isn't that secure in the first place. So when developing systems, [1] should be your guide. [2] is more often associated with operational practices. Here the attack surface isn't always technical, it is human oriented. I.e., the attacks here are social engineering related. Letting the attacker know the chain of command only makes it that much easier to launch a social engineering attack. Ideally the principals of [1] *should* apply here, but thousands of years of human experience demonstrates that it doesn't always work. So in summary you should do [1] when developing code (and procedures) but do [2] when it comes to operational concerns. -Jeff On Wed, Mar 13, 2013 at 8:51 AM, Mitcham, Zachery S. <mitchamz () uncw edu<mailto:mitchamz () uncw edu>> wrote: I can tell by your coy comment that you are a novice. Intel can be gathered from the things that you discuss that you feel are crumbs and insignificant records of public knowledge. If you are telling someone that you are using the Symantec enterprise suite for A/V eradication they could develop their APT around this intel in such a way as to prevent your infected systems from getting to the host site that could save them. My 2 cents. Zachery S. Mitcham, MSA On Mar 13, 2013, at 8:13, "Daniel Wozniak" <dan () orvant com<mailto:dan () orvant com>> wrote:If your systems can be circumvented from information discussed on a public list you have bigger problems to worry about. If your systems are really secure, you should have no problems discussing the measures you took to secure them openly and in the public. Public discussion of good security practices is the best way promote good security (assuming there is such a thing). Just my 2 cents. ~Daniel -- Daniel Wozniak Orvant, Inc. Email/XMPP : dan () orvant com<mailto:dan () orvant com> Phone : +01 480 553 8939 ext 103<tel:480%20553%208939%20ext%20103> On 3/13/13 4:25 AM, Mitcham, Zachery S. wrote:I didn't know that everything posted on this listserv is made public on the Internet. It's like we're giving our enemy all of the information that they need to circumvent the systems that are discussed here. Not a good idea. Zachery S. Mitcham, MSA-- _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu<mailto:jis () mit edu> http://jis.qyv.name _______________________________________________________________________
Current thread:
- Re: Administration of PCD DSS Program, (continued)
- Re: Administration of PCD DSS Program Daniel Wozniak (Mar 13)
- Re: Administration of PCD DSS Program Mitcham, Zachery S. (Mar 13)
- Re: Administration of PCD DSS Program Jeffrey Schiller (Mar 13)
- Re: Administration of PCD DSS Program Mitcham, Zachery S. (Mar 13)
- Re: Administration of PCD DSS Program Jeffrey Schiller (Mar 13)
- Re: Administration of PCD DSS Program Mitcham, Zachery S. (Mar 13)
- Re: Administration of PCD DSS Program Daniel Wozniak (Mar 13)
- Re: Administration of PCD DSS Program John Nunnally (Mar 13)
- Re: Administration of PCD DSS Program Harry Hoffman (Mar 13)
- Re: Administration of PCD DSS Program Valerie Vogel (Mar 13)
- Re: Administration of PCD DSS Program Harry Hoffman (Mar 13)
- Re: Administration of PCD DSS Program Mitcham, Zachery S. (Mar 13)
- Re: Administration of PCD DSS Program Harry Hoffman (Mar 13)
- Re: Administration of PCD DSS Program Semmens, Theresa (Mar 13)
- Re: Administration of PCD DSS Program Gombosky,Brenda B (Mar 14)
- Re: Administration of PCD DSS Program Harry Hoffman (Mar 14)