[Cryptography] The Laws (was the principles) of secure information systems design
Ray Dillinger
bear at sonic.net
Sat Jul 16 13:47:24 EDT 2016
On 07/12/2016 01:30 PM, Peter Fairbrother wrote:
> Law 11: Security is a Boolean
>
About this: I see the point of it, in that one kind of
security flaw can often be leveraged by attackers into
attacks on other systems. So the point from a security
POV is to remind people to isolate systems that come
under attack both from each other and from the rest of
their intranet. Internal firewalls are your friend.
But it does promote the kind of all-or-nothing thought
that leads to entirely unrealistic security measures
that will, in practice, fall by the wayside as soon as
you try to get real people to do them, and/or be too
expensive in time and money to implement, and as stated
it is besides false.
*Absolute* security is, if not completely impossible,
at least extremely difficult and expensive, and you
don't want to lead folk to believe that anything less
than absolute is useless. Perfectly ordinary, relatively
inexpensive and simple security measures are _very_much_
worthwhile for most businesses - even large businesses.
A more appropriate way to get the point across, in my
opinion, would be stating the real issue more directly.
Something like:
Law 11: Whatever is successfully attacked becomes
a means of making further attacks.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160716/c2adc784/attachment.sig>
More information about the cryptography
mailing list