lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue Aug  9 18:27:53 2005
From: charles.heselton at gmail.com (Charles Heselton)
Subject: perfect security architecture (network)

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seeing as how this thread is RAPIDLY going OT (and is probably
already OT for the list), in the interest of brevity....

You're playing on semantics.  One can play the semantics game
forever. 

What you're suggesting doesn't really hold water.  You or I
might not use a bank vault to store $50 bucks, but a homeless person
might kill for it.  Or I might use a bank vault if I'm going to put
in $50
Bucks continually.  Money is money, data is data, and
more often than not, data is money.  

I'm not familiar with the OSSTMM, but I tend to follow the
philosophies 
and guidance in the Network Security Credo: 
http://staff.washington.edu/gray/papers/credo.html .

I like one of the quotes in the prologue:

"It's naive to assume that just installing a firewall is going to
protect you from all potential security threats. That assumption
creates a false sense of security, and having a false sense of
security is worse than having no security at all."  
Kevin Mitnick
eWeek 28 Sep 00  

Case in point, I don't have an enterprise network at my home that
stores top secret proprietary or government data, but I still have an
anti-virus solution, firewall(s), IDSs, and a few other tricks in my
bag that help me to ensure my network is secure.  Overkill?  Not in
my house.  ;-)

- --
- - Charlie, CBSFR
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 
 

> -----Original Message-----
> From: Chuck Fullerton [mailto:cfullerton@...lertoninfosec.com] 
> Sent: Monday, August 08, 2005 7:51 PM
> To: charles.heselton@...il.com; cobradead@...il.com; 
> full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] perfect security architecture
> (network)  
> 
>  >There IS NO *perfect* security.
> >If you have a customer that is asking for "perfect 
> security", tell them it
> can't be done.
> 
> I beg to differ.  If you have a customer that's asking for 
> Perfect Security
> then read the OSSTMM. (Better yet, send them to my company.)  ;-)
> 
> If you don't believe me then check out my whitepaper, "How to Make
> the 'Perfect' PB&J".  It can be downloaded at
> http://www.infosecwriters.com/texts.php?op=display&id=236
> 
> People that are asking for Perfect Security are those that 
> want the level of
> security they need for their environment.  Your not going to 
> use a Bank
> Vault to secure only $50.00.  It's overkill and their ROI 
> won't match up.
> 
> So the next time a customer asks you for "Perfect Security"  They
> are telling you that they don't want to be oversold.
> 
> Sincerely,
> 
> Chuck Fullerton
> 
> 
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of Charles
> Heselton
> Sent: Monday, August 08, 2005 9:36 PM
> To: cobradead@...il.com; full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] perfect security architecture
> (network)  
> 
>  
> *** PGP SIGNATURE VERIFICATION ***
> *** Status:   Bad Signature
> *** Alert:    Signature did not verify. Message has been altered.
> *** Signer:   Charles Heselton <charles.heselton@...il.com> 
> (0x4829EDCF)
> *** Signed:   8/8/2005 6:36:24 PM
> *** Verified: 8/8/2005 10:00:46 PM
> *** BEGIN PGP VERIFIED MESSAGE ***
> 
> Although Daniel's comments may be tongue-in-cheek, there is 
> some truth.
> Here are a few ideas that have become more or less mantras for me,
> personally....
> 
> There IS NO *perfect* security.
> 
> Defense in depth.
> 
> The larger your network is, the less effective your perimeter
> becomes.  
> 
> The end user is always the weakest link.
> 
> There may be a few more that people feel I have left out.  
> Basically, if
> you're asking what I think you're asking, you have to be able 
> to cater the
> level of security you're providing to the needs of your customer.
> Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded"
> routing......all of these thing have a part in an ideally 
> secure situation.
> The point is to identify the most critical assets and 
> possible vectors of
> attack.  Then you design a security architecture that 1) 
> addresses those
> vectors, and 2) has multiple layers that should one 
> preventative method
> fail, another will detect/prevent (defense in depth).  There 
> will always be
> someone out there who is able to figure out a hole, with 
> enough knowledge,
> experience, persistence, and luck.
> 
> If you have a customer that is asking for "perfect security", 
> tell them it
> can't be done.  If you're asking a philosophical question, well
> secure application development can make a security professional's 
> life a little
> easier, but it's not going to solve the fundamental problem.  
> But, just like
> the rest of the security tools (firewalls, etc.), more secure 
> applications
> and programming techniques only play a part.
> 
> HTH.
> 
> --
> - Charlie
>  
> 5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
>  
>  
>  
> 
> > -----Original Message-----
> > From: full-disclosure-bounces@...ts.grok.org.uk
> > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On 
> Behalf Of Daniel 
> > H. Renner
> > Sent: Monday, August 08, 2005 9:08 AM
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] perfect security architecture
> > (network)
> > 
> > Good Lord C0br4,
> > 
> > Did your new client give you a shopping list or what?
> > 
> > Use the force C0br4!  The force (of the right forum) will 
> protect you!
> > 
> > --
> > Dan Renner
> > Los Angeles Computerhelp
> > http://losangelescomputerhelp.com
> > 
> > 
> > On Mon, 2005-08-08 at 12:00 +0100,
> > full-disclosure-request@...ts.grok.org.uk wrote:
> > > Date: Mon, 8 Aug 2005 11:04:34 +0530
> > > From: C0BR4 <cobradead@...il.com>
> > > Subject: [Full-disclosure] perfect security architecture
> > > (network) To: websecurity@...appsec.org
> > > Message-ID: <457462ba0508072234bc6216c@...l.gmail.com>
> > > Content-Type: text/plain; charset=ISO-8859-1
> > > 
> > > Hey guys,
> > > 
> > > Have couple of questions need answers plz...........
> > > 
> > > There are three attacks that jeopardize Information security. 
> > > 
> > >                                 ------------------------------
> > > - secure Network      -
> > > ------------------------------
> > > - secure Host           -
> > > ------------------------------
> > > - secure Application  -
> > > -------------------------------
> > > 
> > > How can we optimize security? Stopping attacks at network
> > or building
> > > secure applications..
> > > 
> > > How should we deal with these attacks? People talk about 
> Firewall, 
> > > IDS/IPS etc..
> > > 
> > > What's best?
> > > 
> > > If asked to give a perfect security architecture (network)
> > what would
> > > you suggest?  Given
> > > a Firewall, Router, IDS, IPS and Anti-virus .
> > > 
> > > thank you
> > > C0br4
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> *** END PGP VERIFIED MESSAGE ***
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQvjn+3v40fZIKe3PEQKUCQCcCtQG0JyJqQx74EPu148IKqbIWPgAoNFs
XPD83k+j5MjOOvHCmvZX6Lrz
=apmM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists