HI
Well this whole thing of 'security awareness' rears its ugly head again.
I almost feel like its beating my head against a brick wall in a lot of
sme's (if not large corporates) with this. I've done lots of security
training in the past and the most common excuse I've come across for not
changing passwords is ----- the user can't cope with changing their
passwords at different times on 50 different systems. OH I wish the day
when some-one would develop a decent X/509/smartcard system to do strong
single sign on.
(commercial)Oh wait .. one exists..my former employer
Dynasoft/Security-Dynamics with the BoKS Suite of apps.....:-)
(/commercial)
But then if the primary controls aren't implemented...security
policy/change management then you're still up the creek....
Martin Hepworth
Blackwells Information Services
tel +44 1865 792792 x 3233
WYDSIWGY - 1st rule of computer security
What You don't See Is What Gets you
> -----Original Message-----
> From: Steve Kruse [SMTP:jsk347 @
sprynet .
com]
> Sent: Friday, December 12, 1997 1:50 PM
> To: Martin Hepworth
> Subject: Re: Firewalls-Digest V6 #574
>
> At 10:34 AM 12/11/97 -0500, Stacy Millions wrote:
> >"Warren Moore"<warren .
moore @
cbis .
com> said:
> >
> >> Paul McNabb reputedly said:
> >>
> >> <snip>
> >> >
> >> >> From: "Craig I. Hagan" <hagan @
cih .
com>
> w...maybe by 2021 the desktops will have caught up.
>
> More SNIPPED to save bandwidth
>
> >I think you are overly optimistic :-( The big problem with the
> stability of
> >most of these "new technologies" has more to do with cultural issues
> than
> >technical issues. I would imagine that the "poor old dinosaur
> mainframes"
> >would have a stability problem too, if the users of the systems were
> able
> >to download the latest "cool app" from the net and install it.
> >
> >Most organizations that I have seen are not willing to spend the
> amount of
> >money need to support a computer on everyone's desk. And why should
> they?
> >After all these are commodity items, like a toaster, you just have to
> plug
> >it in and go. Right? Why do you need all the overhead of change
> managment,
> >QA, etc. for a PC?
> >
> >I wish M$soft the best of luck with their zero administration
> initiative,
> >I'm just not holding my breath for it to happen.
> >
> >-stacy
> >
>
> Stacy rasies an important point here that I haven't seen discussed
> much.
> The value of "change control" and "authorized applications on the
> desktop"
> can not be stressed enough in a security sense. Allowing users (or at
> least not stating a policy against) the unauthorized loading,
> downloading
> and/or execution of company unapproved software from within the
> secured
> enviornment is very important. As a security officer, you spend bucks
> to
> install firewalls, maintain access control lists, force people to
> change
> their passwords, you audit the enviornment, and then let them bring in
> a
> virus, trojan horse or some other nasty.
>
> Firewalls, ACL's, passwords and the like can only do their job if they
> aren't undermined by users and/or a lack of policy. Stacy is correct
> in
> that MVS is not something that the user can load stuff onto 'cuz it
> looks
> geewhiz kewl; and the Mainframe has been properly maintained by
> Systems
> Programmers who are trained (gasp!!! not....T-R-A-I-N-I-N-G???!!!).
> Allowing users to control their environment space (in a computer
> sense)
> without proper training on how they can affect the whole company is
> counter
> productive to any security implementation.
>
> Steve Kruse
> Milkyway Networks
>
> Flames Ignored...comments always welcome.
> ***********************************************
> * jsk347 @
sprynet .
com (Personal E-Mail) *
> * skruse @
milkyway .
com (Company E-Mail) *
> * http://www.milkyway.com *
> ***********************************************
|
|
