[Cryptography] best practices considered bad term
Kent Borg
kentborg at borg.org
Thu Feb 5 08:55:47 EST 2015
> On 02/02/2015 07:05 PM, Arnold Reinhold wrote:
>> But what is the alternative to best practice recommendations for
>> cybersecurity? Telling every business to hire a consultant?
One piece of advice I would offer to, say, Anthem Health Insurance: It
is not possible to secure your current system. Period.
You need to assemble a new system with security in mind; the starting
assumption has to be that everything by default is excluded unless it is
necessary, and can be securely included. Possibly you can include some
existing components that you can't fully trust, but you might have to
wall them off into a very restricted pen, with a lot of intrusion detection.
I am not opposed to all use of firewalls: To use a firewall and
intrusion detection-type monitoring to create a quarantine of some
untrusted component is very powerful. It is when people pretend that a
single firewall can create a safe zone for general purpose frolicking
with Skype and Internet Explorer and Outlook and Acrobat and any piece
of Javascript anyone wants to put on any webpage anywhere--that is when
I shake my head and say they are doomed.
Big Organization keeps trying to secure millions of customer records
with the latest firewall, virus protection, and up-to-date service
packs, and they are always failing.
And the bring-your-own-devices trend that companies are using to save
money? Doomed. End-point security is possibly the hardest part of
securing a larger system, and putting it in the hands of your employees'
teenage kids isn't always the best way. (Though some of those kids will
be better than most IT departments.)
This is getting pretty far off the topic of cryptography, but maybe that
is the point. AES, good as it is, doesn't solve anything unless it is
part of a larger system that is coherent and well built. And we know a
lot more about why that is hard than we do about how to do it right.
-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150205/30221bb4/attachment.html>
More information about the cryptography
mailing list