Slashdot Mirror
Bruce Schneier on What He Knows Best
Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.
That sounded too much like SCO Magazine :)
I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security, etc. Some folks just don't want to be bothered.
Randon thought - with the decline of things like boot disk viruses, etc, best security most folks can understand is that they are safe so long as they are not on the internet.
"It is a greater offense to steal men's labor, than their clothes"
Cringely put out an article (Changing the Game: How to Save the World by Taking Back Control of Our Data) a week or so back emphasizing security through recording all activity in any given IT infrastructure. Cryptographic techniques may be great, but social engineering, cracked buffer overflows, and short-sighted or stupid actions can always leave some crucial data exposed.
Rather than throwing your hands up when you've found you've left data exposed, or you've discovered some insider has been poking around documents they shouldn't be looking at, you should be able to track down all access to all information at all layers of your infrastructure. You hopefully can uncover traces of specific incidents, find any other similar unnoticed events that are now part of history, and find the culprits.
So logging and log analysis are key to securing any site. You need to log:
... and you need to do it in a way where you can correlate information from all these disparate sources to uncover patterns of abuse. Cringely mentions that Addamark (he calls them the next "Oracle") is the first company with a viable solution for storing and analyzing the massive logs involved. I've looked at their site, does anybody know anything about this product? Sounds very useful.
He also gave an interview on Minnesota Public Radio covering similar topics on September 29. Follow the link for a RealMedia archive.
I make a weekly trip to put our tape backups into a safety deposit box at a nearby bank. For $35/year, we get bank-level security and convenient off-site storage.
For the two years I've been doing this, I've had a small, running battle with the president of the branch, who wants to enforce a rule that all use of safety deposit boxes must be done in the booths provided for privacy; presumably, he wants to avoid any appearance of, or liability for, the bank employee knowing what's in my safety deposit box. However, switching the tapes in the box can be done in 5 seconds right there, whereas taking a booth makes it a 2 minute affair. The tellers all know me, so they let me do it right there, except for the couple weeks after a stern policy memo has been issued.
The reason I don't sacrifice another 1 minute, 55 seconds, is because I don't care that the tellers know--they'd figure something out with my weekly trips anyway. But the real crux is that, putting the tape backups into a safety deposit box makes it one of the strongest links in the security chain. The server room door is always locked, the servers logged off, etc. The weakest link now is that a competitor would offer one of my employees $20,000 to sneak the tape backups out one night. In comparison, the cost of breaking into a safety deposit box, removing the tapes, and returning them after copying, all undetectably, would be in the hundreds of thousands of dollars, if it could be done at all. They can't bribe a teller because the bank has only one of two keys for my box--when I've forgotten my key, I'm SOL.
This is what Schneier means by system security. Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
"You need to log:... disk I/O"
Isn't that recursive?
I just want to put on file that I put on file that I put on file that I put on file that I put on file that I put on file that I saw somebody read a file on disk. Damn, now I need to report myself.
And the best quote on the article regarding those kinds of databases:
"Definitely. Terrorism is rare, while crime is common. Security systems that require massive databases in order to function--TIA, CAPPS 2--will make crime easier. They'll make identity theft easier. They'll make illegal government surveillance easier. They'll make it more likely that rogue employees of the governments and corporations that maintain the systems will use the data for their own purposes. In the United States, there isn't a government database that hasn't been misused by the very people entrusted with keeping its information safe. IRS employees have perused the tax records of celebrities and friends. State employees have sold driving records to private investigators. This kind of thing happens all the time."
// Agent Green (Ian / IU7 / KB1JQO)
// IEEE 802.3: All 10base Are Belong To Us
Ok so lots of valuable company data is moved from your facility to a bank by an employee on a weekly basis? I think the weakest link in the chain is you. I'm just saying what's to stop someone from taking the tapes from you in transit? Sure the bank has good security (cameras, security guards, a vault), and your company most likely has good security too but when your in transit couldn't someone stop you and take the tapes from you (by force if needed)? Just out of curiosity are there any backup software packages (like something made by Veritas or Computer Associates) that will not only compress data before backup but also encrypt it?