Fw: [ISN] Commentary: The Threat Of Microsofts .Net

Jason Jason.Gruber at btinternet.com
Wed Oct 31 03:56:59 EST 2001


----- Original Message -----
From: "InfoSec News" <isn at c4i.org>
To: <isn at attrition.org>
Sent: Tuesday, October 30, 2001 9:32 AM
Subject: Re: [ISN] Commentary: The Threat Of Microsofts .Net


> Forwarded from: John Ellingson <JohnE37179 at aol.com>
>
> In a message dated 10/26/01 5:06:08 AM, isn at c4i.org writes:
>
> << Suppose somebody breaks in. Everyone's personal and financial
> information would suddenly be in the hands of the intruders. Or
> worse--they could be scattered about in a series of resulting
> malfunctions. The extent of the financial, social, and political
> disaster that could result is hard to imagine. >>
>
> The real risk isn't someone breaking in. While the focus of this group
> is on security and most of us work in the digital world, the greatest
> risk is still some form of social engineering. Approximately 80 of all
> losses/unauthorized access occurs from inside the firewall. It comes
> from people who have previously had access, but it was never turned
> off, or someone who is bribed, or has a grudge, or is otherwise
> motivated. Those of us in the security business have a duty to look at
> system security as a whole. That does not mean just device to device,
> it means including all users and it crucially means an assumption that
> not everyone will follow the rules.
>
> If I could offer a classic example: We all know that identity fraud is
> growing by leaps and bounds. It is doing so because we enable it. We
> enable identity fraud through some of the very schemes and technology
> we use to provide security. Identity fraud is enabled through the use
> of PKI, encryption, digital certificates, over reliance on credit
> reports and the dangerously false assumption that one identity must be
> attached to one person and that person matches the identity.
>
> We continually design point solutions, each one a link in the security
> chain.  We defer to some integrator or our customers to assemble the
> chain. But as we all know, no one provides a complete chain or even a
> design for the complete chain. Security that is either just a bunch of
> unconnected links (weak or strong), or a linked chain that is one link
> short of a connection, is no security at all.
>
> We live in a world that has digitized the paradigm of business that
> existed in the 50s. In the fifties businesses knew their customers and
> would recognize them on the street. Today most business wouldn't
> recognize their customers face to face. Yet, we have not changed our
> underlying basic assumptions.
>
> We cannot build a truly secure environment out of patches to an
> obsolete paradigm.
>
>
> John Ellingson
> CEO
> Edentification, Inc.
> ||||#
> ||||||
> ||||||
>
> -
> ISN is currently hosted by Attrition.org
>
> To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the
BODY
> of the mail.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list