"It's your network--you protect it. 'Cause I can't stand hearing another lecture from some misguided idiot on how to use McAfee and not open attachments. At least *my* SMTP server authenticated its users and didn't have relaying enabled..."

As you may or may not have realized--network admins and CISSP's don't have time to give these lectures. If I could get a 1 on 1 with the admin (and I did...once)I'd be interested. These lectures end up being given by tier three tech support, IT professors, and other incompetents in practice. Are there good ones...sure...but I stand by my assertion that the majority I've ever met...are misguided idiots. These are the same people that have shown me how to "verify the authenticity of internet resources" by looking to "see if the page looks professional" or "email the author and try for a response". I guess that's okay, but it seems that using ARIN and public records to verify it's a legitimate business is out of the question. These are the people that listened to me describe portsentry (and it's risks) and demanded the installation of it on their linux workstations--only to be shocked and angry when it quite promptly cut them off from the chatter-hungry windows network mistaking all noisy SMB stuff as attacks.

I'm sure they're fine at whatever their actual job is--but they have no business speaking on security--where they are at best...initially incompetent.

Regarding your assertion that one cannot "solve all security related problems with the help of technical solutions only" It's quite simply...not true. You cannot *rely* upon technology to solve your problems--but if you understand it you can use it as a tool to solve them. My system never had tools deployed that I didn't understand, and thus was under my control at all times--or at least as much as it could be without me taking the time to study the underlying structure of the kernel and window manager. I'd call the set of risks my system was exposed to...thoroughly mitigated.

Obviously a campus network cannot do the same...but...

the point is not to solve the issues with technology, but to effectively leverage it. Most admins won't. And "solving security problems" through mandatory student education--will most assuredly not solve the problems. At least not where I came from--the people who would be doing the lecturing would do more harm than good.

But seriously--next time you honestly believe that you can't solve your problems through technology (and maybe there's a case)...ask yourself:
1) Is my system too complicated?
2) Am I practicing segregation of unrelated components
3) Have I let my system grow to handle tasks beyond which it was originally intended?

In the 'real' or corporate world sure these problems exist. But that doesn't make them...something to be accepted. Loss of security begins with compromise of best practices for ease of use or efficiency. That's the only problem I can think of that technology is incapable of addressing.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/267/28558#28558