Full Disclosure mailing list archives
Re: Response to comments on Security and Obscurity
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 01 Sep 2004 17:06:45 -0400
James Tucker wrote:
You're right with this scenario, of course, but I don't think that they meant that there was no room for physical protection in information security.This is not dissimilar from the discussion that, for example: Walk into the headquarters of a major business firm, you take the elevator up to the top floor as you don't have a keycard to get you in a lower level. It's lunchtime and the secretary at reception has left her desk. You are free to walk around the corner to the CEO's office (there are no physical barriers, as these would not "look nice" and would "impose upon business impressions". The CEO is a dear chap who forgets to lock his workstation when he goes to lunch. Where did all that hard effort of virtual security go? This is not an uncommon scenario. The stronger audits in the world fail you for this kind of possibility; again count yourself lucky in this regard.
I think they meant that you can't make a physical comparison to an information security structure. One can't actually, as an example, compare a firewall to a constantly burning facade. Take a military base, for example. One can, if they were so inclined, use the military base as an example of a well secured area. You've got gates, gun emplacements, armed guards, many locked doors, cameras at the gates, razorwire, etc. Military gates are presumably well secured, right? Well, you can try to make an analogy between this and a well-secured network. The problem is that the analogies don't align. A firewall isn't really like a gate with an armed guard at it. Your soldiers can't be turned into unwitting zombies by IE exploits. An IDS isn't really like a camera. System passwords aren't actually like locked doors.
The analogy can loosely be used to illustrate a point, but anything beyond very loose interpretation is virtually worthless because of its inaccuracy.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New paper on Security and Obscurity, (continued)
- Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 01)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- RE: Response to comments on Security and Obscurity Dave Aitel (Sep 01)
- Security & Obscurity: First-time attacks and lawyer jokes Peter Swire (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re[2]: Response to comments on Security and Obscurity 3APA3A (Sep 01)
- Re: Re[2]: Response to comments on Security and Obscurity James Tucker (Sep 01)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[4]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[4]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[6]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[6]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[8]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Response to comments on Security and Obscurity gadgeteer (Sep 01)
- [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Stormwalker (Sep 02)