[PLUG] Are "standard security procedures" an oxymoron?
rich at richburroughs.com
Tue Nov 20 12:09:11 PST 2012
If the industry is highly regulated, you may not have a ton of choice
in the matter. You may have audit requirements that need to be met
whether you like it or not for things like PCI or HIPAA.
I think defense in depth is a very important concept. A lot of people
do rely on the same products and solutions, that's true. Hopefully
your security design doesn't put you in a position where one
standardized hole leaves you too vulnerable.
On Tue, Nov 20, 2012 at 11:58 AM, Keith Lofstrom <keithl at gate.kl-ic.com> wrote:
> A friend taught me that con men exploit smart people more easily
> than dumb people, because there are fewer ways to be smart than
> dumb, making smart people (and their blind spots) more predictable.
> I am helping a friend set up security procedures for a business
> in a highly regulated industry, with acres of forms and checklists
> and standards that are supposed to result in secure systems.
> Many look like brainfarts from academics working from unproven
> hypotheses, who haven't collected the histories of real exploits,
> much less fought an exploit themselves.
> Standarized security systems probably have standardized holes,
> suitable for automated exploitation. Instead, should we
> construct vivid and instructive stories, and count on the
> creativity of end users to develop and elaborate a varied
> (and difficult to exploit) set of solutions?
> Or do semi-informed people tend to make the same predictable
> mistakes more often than standard security procedures result
> in widespread identical holes?
> Build a kludge, or buy a black box?
> Keith Lofstrom keithl at keithl.com Voice (503)-520-1993
> PLUG mailing list
> PLUG at lists.pdxlinux.org
More information about the PLUG