Re: Going against the Gradient

[Jared DeMott <demottja () msu edu>]

> Every time I hear the argument that some level of security, even lame
> security, is better than NO security, I think about my Zappa
> paraphrasing. In my opinion, lame security is WORSE than no security,
> simply because most of the people involved (think CxO/pointy-haired boss
> types) live with a sense that they are being protected, when in fact
> they are not. The ones with no protection are not living a lie -- they
> are at least AWARE they really have no security.
I understand your frustration with current sales consultants
continuously pushing the latest garbage down companies throats.  Yet,
every time I hear a statement like this ... it just sounds silly to me. 
The 0day to the desktop that circumvents all known security measures is
a real threat.  I think all decent security folks know this.  However,
what you're really talking about is the "gold nuggent scenario".  My big
corp/Agency has one secret block of info, and if it ever gets
compromised we're totally hosed.  That's a real scenario, for certain
high profile targets, and that is why the air-gap is still in use. 
However, consider the medium sized school network, in which all they
really want to do is keep stuff working.  Yah, the don't want to lose
student records, or have students change grades, etc, etc.  But with
proper filtering, AV, ghosting often in labs, VPNs, VLANS, etc, they're
able to keep the networks clean and functioning well enough for students
and faculty to do their daily jobs.  So, in my opinion, while current
security processes are far from perfect, a good and continuous effort is
always better than no effort.

Jared




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave