|reply to OZO |
Re: Think layers of security is all that? Think again
said by OZO:^^ This ^^
Human is the most important part of security. Computers are made to obey them, at the end... Thus, education, how to run them safely, is the key.
It is all about education, understanding the risks, and understanding how to mitigate those risks. Basic secure computing steps are at least 80%.
said by Snowy:Exactly. It all depends upon the level of concern or paranoia and the risks involved.
The thread title reminded me of this recent thread 'how to ensure PDF file viewing does not "call home"' where firewall rules were often mentioned as a cure/fix.
Firewall rules will often prevent a call home function but it's not guaranteed.
It's just a layer.
That thread is not particularly a good example since it involved prevention of a PDF reader from reporting usage statistics. The effort to ensure that detail gets sent, independent of reader and irregardless of protective measures, is not worth the benefit of the data obtained. Basic firewall or sandbox methods are likely to be very effective in this case.
For those extremely paranoid or concerned a dedicated PC that never has any network connectivity is a given. For those trusting in the technology a simple VM may suffice but for the truly untrusting a dedicated standalone physical PC would be in order already and such a question would not even be asked.
The old adage that the most secure computer is one that can never be used continues to apply. If you treat every risk as the utmost highest priority you will (a) worry yourself to death and (b) spend a significant amount of time avoiding threats that don't realistically exist.
Using the referenced thread as an example: Even if I were still the most paranoid person such that I was overly concerned that a PDF I downloaded from the internet would "call home" to report every time I read it, that would not change the fact that my download of said PDF was already recorded and likely tracked. The time I would spend to copy that PDF to a portable device and then to a standalone PC would be potentially wasted effort.
Now, if this involved confidential document/information, or any type of PII (Personally Identifiable Information) the risk would be higher and said measures may be appropriate. The OP in that thread did not make this distinction so this is unknown.
Proper education on secure practices, understanding the risks involved, and taking appropriate action based on those risks is indeed the key. I know many people that refuse to do any commerce (even amazon) or banking online yet do not own a paper shredder and think nothing of throwing bills, statements, etc in the garbage intact. I have not disposed of one sheet of paper that had a name, address, or any other PII without shredding in almost two decades and have been regularly questioned about why. Education is truly the key.
One of the security layers to keep in mind are monitoring and keeping audits inside your networks.
My most major concern are the users inside a network and not some hacker outside the network. The odds are much lower if someone outside of a network hacks in to your data. The real danger are the insider threats, and yes, I mean the users themself sitting behind the machine.
One of the things we can do, is a "scare tactic" that we gotta let them know were monitoring and keeping an eye on you whatever they do on a network. Hopefully that will send a clear message.