Based on my recent blog entry on insecure endpoints "https is all I need, right?" (http://sec-soapbox.blogspot.com/2007/03/https-is-all-i-need-right.html)Joe of 2 Guys Named Joe (http://www.2gnj.com) wants to know how to determine if he is secure and if his information is already out there.
First my warning the Cocoa is very hot be careful that you do not burn your tongue. In other words there is no silver bullet in security. My second warning is that since I have covered some of this previously I will reference any previously written blogs entries rather than reproduce them.
Balancing Act
One of the points to understand is that security is a process not a goal. If it was a goal then when your village/town/city was established the police would show up and secure it. Then the police would leave and there would never be any crime. I don't think anyone would subscribe to that option.
On the other hand we can't have a police officer assigned to every person and building to provide 100% security and protection. But some institutions hire guards to protect valuable assets.
In computer security it is much the same. Too much security prevents people from getting anything done and will cause people to circumvent it (the sticky note on the monitor for the assigned password). There must be a balance between security and ease of use. Additionally there must be a balance between value of an asset and cost to protect the asset.
See Risk Options (http://sec-soapbox.blogspot.com/2007/03/risk-options.html) for additional details.
The Basic Goal
The best you can do is make sure you are not the easiest target. In short unless there is a reason to target you the dark side will tend to go after the "low hanging fruit." If a burglar is walking down the street looking for a house to burglarize they will tend to avoid the ones with a alarm in favor of one that doesn't.
See Predators and their Prey (http://sec-soapbox.blogspot.com/2007/01/predators-and-their-prey.html) for an old security joke and more details.
Passwords
Everyone hates passwords, but at the moment they are the a fact of life. Everyone has to have passwords, and too many people use simple easy to break passwords.
I subscribe to the use a very long complex password to protect your password data base. See Anatomy of a Password (http://sec-soapbox.blogspot.com/2007/01/anatomy-of-password.html) for more information on complex usable passwords.
I personally use Password Safe (http://passwordsafe.sourceforge.net/), but it is not the only option. See Password Tools (http://sec-soapbox.blogspot.com/2007/01/password-tools.html) for more information.
More to come
This is a complex topic and I will flesh it out with additional blog entries.
No comments:
Post a Comment