[PLUG] Are "standard security procedures" an oxymoron?

Keith Lofstrom keithl at gate.kl-ic.com
Tue Nov 20 11:58:41 PST 2012


A friend taught me that con men exploit smart people more easily
than dumb people, because there are fewer ways to be smart than
dumb, making smart people (and their blind spots) more predictable.

I am helping a friend set up security procedures for a business
in a highly regulated industry, with acres of forms and checklists
and standards that are supposed to result in secure systems. 
Many look like brainfarts from academics working from unproven
hypotheses, who haven't collected the histories of real exploits,
much less fought an exploit themselves.  

Standarized security systems probably have standardized holes,
suitable for automated exploitation.  Instead, should we
construct vivid and instructive stories, and count on the
creativity of end users to develop and elaborate a varied
(and difficult to exploit) set of solutions? 

Or do semi-informed people tend to make the same predictable
mistakes more often than standard security procedures result
in widespread identical holes?

Build a kludge, or buy a black box?

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993



More information about the PLUG mailing list