[PLUG] Are "standard security procedures" an oxymoron?

John Meissen john at meissen.org
Tue Nov 20 14:34:29 PST 2012


There are many different kinds of security, but I'll assume you're referring 
to computers and related systems.

A lot of people are spending a lot of time and effort on that. Some interesting 
reading:

http://dsd.gov.au/infosec/top35mitigationstrategies.htm
http://www.cpni.gov.uk/advice/cyber/Critical-controls/

> A friend taught me that con men exploit smart people more easily
> than dumb people, because there are fewer ways to be smart than
> dumb, making smart people (and their blind spots) more predictable.
> 
> I am helping a friend set up security procedures for a business
> in a highly regulated industry, with acres of forms and checklists
> and standards that are supposed to result in secure systems. 
> Many look like brainfarts from academics working from unproven
> hypotheses, who haven't collected the histories of real exploits,
> much less fought an exploit themselves.  
> 
> Standarized security systems probably have standardized holes,
> suitable for automated exploitation.  Instead, should we
> construct vivid and instructive stories, and count on the
> creativity of end users to develop and elaborate a varied
> (and difficult to exploit) set of solutions? 
> 
> Or do semi-informed people tend to make the same predictable
> mistakes more often than standard security procedures result
> in widespread identical holes?
> 
> Build a kludge, or buy a black box?
> 
> Keith
> 
> -- 
> Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug





More information about the PLUG mailing list