Slashdot Mirror
Bruce Schneier on What He Knows Best
Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.
I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security, etc. Some folks just don't want to be bothered.
Randon thought - with the decline of things like boot disk viruses, etc, best security most folks can understand is that they are safe so long as they are not on the internet.
"It is a greater offense to steal men's labor, than their clothes"
Cringely put out an article (Changing the Game: How to Save the World by Taking Back Control of Our Data) a week or so back emphasizing security through recording all activity in any given IT infrastructure. Cryptographic techniques may be great, but social engineering, cracked buffer overflows, and short-sighted or stupid actions can always leave some crucial data exposed.
Rather than throwing your hands up when you've found you've left data exposed, or you've discovered some insider has been poking around documents they shouldn't be looking at, you should be able to track down all access to all information at all layers of your infrastructure. You hopefully can uncover traces of specific incidents, find any other similar unnoticed events that are now part of history, and find the culprits.
So logging and log analysis are key to securing any site. You need to log:
... and you need to do it in a way where you can correlate information from all these disparate sources to uncover patterns of abuse. Cringely mentions that Addamark (he calls them the next "Oracle") is the first company with a viable solution for storing and analyzing the massive logs involved. I've looked at their site, does anybody know anything about this product? Sounds very useful.
He also gave an interview on Minnesota Public Radio covering similar topics on September 29. Follow the link for a RealMedia archive.
I make a weekly trip to put our tape backups into a safety deposit box at a nearby bank. For $35/year, we get bank-level security and convenient off-site storage.
For the two years I've been doing this, I've had a small, running battle with the president of the branch, who wants to enforce a rule that all use of safety deposit boxes must be done in the booths provided for privacy; presumably, he wants to avoid any appearance of, or liability for, the bank employee knowing what's in my safety deposit box. However, switching the tapes in the box can be done in 5 seconds right there, whereas taking a booth makes it a 2 minute affair. The tellers all know me, so they let me do it right there, except for the couple weeks after a stern policy memo has been issued.
The reason I don't sacrifice another 1 minute, 55 seconds, is because I don't care that the tellers know--they'd figure something out with my weekly trips anyway. But the real crux is that, putting the tape backups into a safety deposit box makes it one of the strongest links in the security chain. The server room door is always locked, the servers logged off, etc. The weakest link now is that a competitor would offer one of my employees $20,000 to sneak the tape backups out one night. In comparison, the cost of breaking into a safety deposit box, removing the tapes, and returning them after copying, all undetectably, would be in the hundreds of thousands of dollars, if it could be done at all. They can't bribe a teller because the bank has only one of two keys for my box--when I've forgotten my key, I'm SOL.
This is what Schneier means by system security. Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.