[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F0B5422.4952.129863EB@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Right-wing computer virus
"Jason Bethune" <jbethune@...n.kentville.ns.ca> wrote:
> As a newbie....to the list....I am just curious...do viruses not propose a
> security risk? I am not taking sides just asking a question so I can get
> proper information.
Viruses, Trojans, and most other forms of what is nowadays more loosely
known as "malware" primarily pose an integrity risk, and availability,
access and integrity are generally the three foundation stones of
"computer security".
Arguably, in a modestly well-designed computer system, integrity
concerns reduce to "the HR problem" (i.e. how do you select, as
employees, sufficiently honest and reliable folk). Unfortunately, most
computer systems in operation today (and virtually all such "on the
Internet") assume (quite incorrectly) that, at most, suitably defining
discretionary access controls also resolves the integrity problem. In
fact, these issues are orthogonal, or at least nowhere near as close to
parallel as that practice suggests. As most systems are implemented
with very little (in fact, usually _no_) system-administrative control
over the code that runs on them, the integrity "problem" is, in fact,
entirely ignored. (Further, the general ignorance of this and push
toward the "convenience" of allowing the _user_ to decide what "new"
code can or should be run drives a lot of ongoing code integrity
management problems, including the problems posed by viruses and
related malware...)
So, the short answer to your question is "Yes, viruses are a security
issue". The longer, and much more accurate, answer is that "as modern
computer security practice and training tends to ignore the actual
basis of and type of threat posed by viruses, viruses are not really
addressed as a 'security problem' although they will usually be
labelled as such". (Or, "avoid the marketing hype".)
This may not seem like it helps much -- if not, try to make sense of
Fred Cohen's early work as I am only repeating part of what he first
said close to twenty years ago. If you do get a handle on Cohen's work
you will understand what I am saying and be conceptually ahead of 95%+
of the "experts" out there (who will continue to not understand this).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists