[Cryptography] best practices considered bad term

Arnold Reinhold agr at me.com
Fri Feb 6 16:51:14 EST 2015


> On Feb 5, 2015, at 8:55 AM, Kent Borg <kentborg at borg.org> wrote:
> 
>>  On 02/02/2015 07:05 PM, Arnold Reinhold wrote:
>>> But what is the alternative to best practice recommendations for cybersecurity? Telling every business to hire a consultant?
> 
> One piece of advice I would offer to, say, Anthem Health Insurance: It is not possible to secure your current system. Period.
> 
> You need to assemble a new system with security in mind; the starting assumption has to be that everything by default is excluded unless it is necessary, and can be securely included. Possibly you can include some existing components that you can't fully trust, but you might have to wall them off into a very restricted pen, with a lot of intrusion detection.
> 
> I am not opposed to all use of firewalls: To use a firewall and intrusion detection-type monitoring to create a quarantine of some untrusted component is very powerful. It is when people pretend that a single firewall can create a safe zone for general purpose frolicking with Skype and Internet Explorer and Outlook and Acrobat and any piece of Javascript anyone wants to put on any webpage anywhere--that is when I shake my head and say they are doomed.
> 
> Big Organization keeps trying to secure millions of customer records with the latest firewall, virus protection, and up-to-date service packs, and they are always failing.
> 
> And the bring-your-own-devices trend that companies are using to save money? Doomed. End-point security is possibly the hardest part of securing a larger system, and putting it in the hands of your employees' teenage kids isn't always the best way. (Though some of those kids will be better than most IT departments.)
> 
> This is getting pretty far off the topic of cryptography, but maybe that is the point. AES, good as it is, doesn't solve anything unless it is part of a larger system that is coherent and well built. And we know a lot more about why that is hard than we do about how to do it right.
> 

Sound like the start of a best practices guide. Yes security is hard an yes we know more about why it’s hard than we do about how to do it right. But is that a reason not to collect what we do know in a form that implementers can avoid the grossest mistakes?

In the construction industry an early question when bidding a new project is how far down do we have to dig to find competent bed rock. Where is bedrock in computer security? How does one build the simplest system that we can be sure will not be compromised? There is no point to encryption if we don’t have a safe platform to encrypt on. 

Arnold Reinhold



More information about the cryptography mailing list