15 de junio de 2009

Doctor Johnston's Security Maxims

Lets start the week with some fun, I have read some of the Doctor Johnston’s (CPP of the Argonee National Library – U.S. Department of Energy) security maxims, I’m pretty sure you will share some of these “feelings”:

- Thanks for Nothin' Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.

- Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it. Comment: Security looks easy if you've never taken the time to think carefully about it.

- Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, "significant psychological (or literal) damage is required before any significant security changes will be made".

- Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders. Comment: Maybe from a combination of denial that we've hired bad people, and a (justifiable) fear of how hard it is to deal with the insider threat?

- We Have Met the Enemy and He is Us Maxim: The insider threat from careless or complacent employees and contractors exceeds the threat from malicious insiders (though the latter is not negligible.) Comment: This is partially, though not totally, due to the fact that careless or complacent insiders often unintentionally help nefarious outsiders.

- Feynman's Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Comment: An entertaining example of this common phenomenon can be found in "Surely You are Joking, Mr. Feynman!", published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).

Read in NetworkWorld.com, more of this stuff here :)

We will come back soon, happy monday ~~

2 comentarios:

eduardo abril dijo...

Me encanta esta xD

"Thanks for Nothin' Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong."

Me recuerda una auditoría de un servidor que nos hicieron (por cierto, una empresa muy conocida y de prestigio) en la que los resultados fueron:

- se puede seacar el uptime con un PING
- sale el banner del servidor y se ve que es un IIS

La primera es de risa, aparte de que el uptime que devolvía era falso, y la segunda, dado que eran páginas asp y que tenía "pinta de windows", en fin ... No comment.

También es cierto que es difícil que alguien saque algo en un sitio como este. Pero hay sitios (pequeñas y medianas empresas) donde es casi seguro que algo saldrá, y más en una auditoría interna, donde lo normal es hacer una buena escabechina.


GigA ~~ dijo...

jeje, esa es sin duda la más realista. También me gusta mucho la de "Show me Maxim", propia del carácter reactivo y no pro-activo que suele haber...