Thank you all, I enjoyed your comments. I wanted to answer some questions and clarify some points so as not to give the wrong idea about what I consider good security. I certainly don't think that stupid security is good security.

Sharing passwords with my wife - I don't share them but she has a method to gain access to my most sensitive passwords in an emergency. Locking out everyone is not prudent. It's by no means an issue of trust, its a matter of practice and policy.

Three Firewalls - 1. Hardware firewall on cable modem, 2. Better hardware firewall because cable modem firewall sucks, and 3. Personal firewall on each pc. Actually, it's four firewalls because the locked down VMWare box has a firewall too.

Five passwords for email - 1. Bios password on my laptop, 2. Syskey password to boot windows (for EFS), 3. Windows login, 4. Encrypted drive password, and 5. e-mail client password. Part of the reason for all this is because my e-mail is on the laptop I also travel with.

Cost/Benefit Ratio - Although I spend an significant amount of time on security, I don't necessarily recommend my clients take the same extreme measures. The cost/benefit ratio of me going to medical school to take care of my family is not justifiable, but to a medical doctor the cost/benefit ratio obviously makes sense. I am a security professional so the cost/benefit model for me is much different than for others. U.S. Secret Service agents are extreme with security so the U.S. President doesn't have to be.

Maybe good for work but not for home - I work at home.

Very long passwords - I will address this in a future column (and in a book later this year) but for now let me say that I can type them just as fast as anyone else with few errors and I always remember them the first day I choose them. They are hardly the burden that most people imagine.

"isn't describing his security setup on a public forum a security lapse" - Is it a security lapse or is it an elaborate paranoid attempt at misinformation? Or maybe I'm just so confident that I can tell everyone this and still know I'm secure.

"you are at 42% where the line is at 50%" - So you're saying I still have 8% of my sanity I can still blow on security? Great!

Same day hotfixes - This one was a little unfair because I am on the Microsoft program to beta test hotfixes, so I already know they work in my environment. I also write several reports and an article about hotfixes the day they come out so I know them pretty well by then. I do recommend testing hotfixes before you install them.




[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/320/31617#31617