Re: NYT Article and Physical Security

• To: zurko@osf.org (Mary Ellen Zurko)
• Subject: Re: NYT Article and Physical Security
• From: Rick Smith <smith@sctc.com>
• Date: Tue, 17 Oct 1995 11:24:55 -0500 (CDT)
• Cc: smith@sctc.com, www-security@ns2.rutgers.edu, zurko@osf.org
• In-Reply-To: <9510161830.AA26529@link.osf.org> from "Mary Ellen Zurko" at Oct 16, 95 02:30:21 pm

Mez replied to my posting:

> > The nugget of truth in all this is that typical sites place the trust
> > boundary at the walls of their building and implicitly trust all
> > employees. Look at the statistics on fraud caused by "inside jobs" to
> > judge the long term wisdom of this.
> 
> There's just no easy answer when people are involved. Auditing has a
> long tradition of being part of the solution (as in computer logging
> of actions taken or refused). And that's not something we've talked
> much about in WWW circles yet.

Actually, the point is that you can only limit risk by limiting
exposure.  If everyone in a 5000 person corporate office is on the
same network, the exposure is worse than if you limit the degree of
sharing and access between more critical and less critical segments.

A question I see for Web security is that of how we can provide
Internet Web service safely even to workstations on the most critical
LANs in an organization. Not easy.

> Government and financial institutions
> adopt two-person control authorization policies to double the number
> of people that need to be subverted (or make it more difficult for one
> person to figure out how to circumvent the control). 

In a sense, firewalls serve as a "two man control" facility in some
organizations. Important defensive measures are applied at the
workstation and maintained by its operator, and the firewall double
checks traffic to reinforce and log these access controls.

> The government also puts a lot of money into vetting employees above
> unclassified. It's not the kind of investment most companies want to
> make. ...

One of our VP's said: "I had an easier time passing my EBI (a very
high clearance procedure) than I had with the background check for my
appointment as corporate VP." They make the investment, but not so
often.

But keep in mind the differences between data protection in the
commercial world and the classified government world.  The legal and
economic dynamics are completely different. If you "catch them red
handed" disclosing classified information, it's usually too late to
prevent the damage. In the commercial world, objectives are generally
tied to financial conditions, and losses can often be traded off
against the costs of security countermeasures, or even of finding and
suing the attacker. This is much harder to do in military or
intelligence situations, where you're sometimes balancing lives
against security costs.

> And, the truth of the matter is, trusting people less tends to
> make them less trustworthy. 

Trustworthiness means a lot more than personal integrity.  It also
means you have the training to do something right.  It's unfair to
"trust" someone to use a device correctly when they have neither tools
nor training to do so. "Safe computing" in today's Internet
environment is not something that happens automatically when you pull
the software out of the box.

This is where it gets back to WWW security. Are we trying to make WWW
safe for everyone right out of the box?

Rick.
smith@sctc.com        secure computing corporation

• Re: NYT Article and Physical Security
• From: zurko@osf.org (Mary Ellen Zurko)

• Previous: Re: N$ SSL vs M$ PCT
• Next: Re: PGP and WWW (was "Securing information transports")
• Index(es):
  • Index
  • Thread