[Cryptography] best practices considered bad term

Kent Borg kentborg at borg.org
Thu Feb 5 08:55:47 EST 2015


>  On 02/02/2015 07:05 PM, Arnold Reinhold wrote:
>> But what is the alternative to best practice recommendations for 
>> cybersecurity? Telling every business to hire a consultant? 

One piece of advice I would offer to, say, Anthem Health Insurance: It 
is not possible to secure your current system. Period.

You need to assemble a new system with security in mind; the starting 
assumption has to be that everything by default is excluded unless it is 
necessary, and can be securely included. Possibly you can include some 
existing components that you can't fully trust, but you might have to 
wall them off into a very restricted pen, with a lot of intrusion detection.

I am not opposed to all use of firewalls: To use a firewall and 
intrusion detection-type monitoring to create a quarantine of some 
untrusted component is very powerful. It is when people pretend that a 
single firewall can create a safe zone for general purpose frolicking 
with Skype and Internet Explorer and Outlook and Acrobat and any piece 
of Javascript anyone wants to put on any webpage anywhere--that is when 
I shake my head and say they are doomed.

Big Organization keeps trying to secure millions of customer records 
with the latest firewall, virus protection, and up-to-date service 
packs, and they are always failing.

And the bring-your-own-devices trend that companies are using to save 
money? Doomed. End-point security is possibly the hardest part of 
securing a larger system, and putting it in the hands of your employees' 
teenage kids isn't always the best way. (Though some of those kids will 
be better than most IT departments.)

This is getting pretty far off the topic of cryptography, but maybe that 
is the point. AES, good as it is, doesn't solve anything unless it is 
part of a larger system that is coherent and well built. And we know a 
lot more about why that is hard than we do about how to do it right.

-kb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150205/30221bb4/attachment.html>


More information about the cryptography mailing list