RE: Security vs. Simplicity

["Jason Hurst" <Jason.Hurst () PandaRG com>]

I am going to agree with Dan, the most secure systems are generally the most simple.

The basic problem here is one of perception, perhaps amongst the OP's staff, who seem to be at odds with each other.

Security engineers should WANT things simple, as that means there is, as Dan said, less attack surface.

The perception is that WORK = COMPLEXITY amongst many functional engineers.

However, this is not true, since Windows is a multi-purpose OS, it takes work to make Windows a more simple 
implementation.
 
Jason Hurst
Sr. Network Security Administrator
Panda Restaurant Group
jason.hurst () pandarg com
Please consider the environment before printing this email

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of dan.crowley () gmail com
Sent: Friday, May 22, 2009 6:49 AM
To: security-basics () securityfocus com
Subject: Re: Security vs. Simplicity

I'd like to challenge your original assumption that security and simplicity are inversely related (ie: more of one 
means less of the other)



I have a concrete block. It is my computer. It is very simply designed. I dare you to find a vulnerability in my 
computer. (A silly example, perhaps, but it makes my point)



In fact, with complexity ALWAYS comes more security problems. Take social networking sites as an example. You'd think 
that sites as large as MySpace with dedicated IT folks working on it might have some pretty good security, but its 
track record has really sucked. Why? Because there's SO MUCH ATTACK SURFACE.



In addition to complexity providing more places to launch attacks (attack surface) you also will likely have less of an 
ability to perceive possible flaws in a more complex system, leaving it up to a future attacker to do so. ;)



Given that complexity makes security harder, focus on the simplicity first, as it will make life easier for everyone, 
especially your security engineer.



I'd also like to add that adding security as "an extra layer" sounds like bad security to me if that's the only place 
security is going. Security is a property, not a box on an inventory checklist. Upon performing pen tests in the past, 
nearly all of what I see is "M&M security". One hard, difficult to break outside layer, and soft, sweet innards.



Good luck in building your infrastructure!



--

Dan Crowley

"One machine can do the work of fifty ordinary men. No machine can do the work of an extraordinary man."

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------