Re: Security Paradox

To: <Valdis.Kletnieks at vt.edu>
Subject: Re: Security Paradox
From: Joe Baptista <baptista at dot-god.com>
Date: Tue, 15 Oct 2002 00:21:14 -0400 (EDT)
Cc: Benny Nasution <bnas3 at STUDENT.MONASH.EDU>, <ietf at ietf.org>
In-reply-to: <200210150330.g9F3Ucaa002170@turing-police.cc.vt.edu>
Sender: owner-ietf at ietf.org

On Mon, 14 Oct 2002 Valdis.Kletnieks at vt.edu wrote:

> On Tue, 15 Oct 2002 11:06:09 +1000, Benny Nasution <bnas3 at STUDENT.MONASH.EDU>  said:
> > Security always needs to be increased to reduce threats and risks, but
> > these threats and risks are the ultimate ısource of information about
> > the quality of its ability. Therefore the better the security is
> > developed the less information you will get about how to improve it.
>
> Proper auditing and instrumentation will tell you what's being *attempted*.
>
> Also, note that security is a *process*, and involves making trade-offs.
> For instance, my network has well over 30K hosts on it.  Even if I manage to
> make 99% of them totally hack-proof, I need to expect an average of 1 host
> to be hacked *every day*.  Yes, I could probably harden it so 99.9% were

You know something.  In an earlier message someone mentioned the title
"security expert".  I think considering what we know of security on the
internet that the term "security expert" is an oxymoron.  Security experts
are essentially crisis managers.  And every firm should have one.

regards
joe baptista

References:
- Re: Security Paradox
  - From: Valdis . Kletnieks

Prev by Date: Re: Security Paradox
Next by Date: Re: Security Paradox
Previous by thread: Re: Security Paradox
Next by thread: Re: Security Paradox
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Security Paradox

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.