dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
25
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

3 recommendations

reply to daveinpoway

Re: Think layers of security is all that? Think again

Well I think the problem with that article is that they missed/ignored the most important factor--the humans.

The assumption is that hardware/software, by itself, is sufficient to stop all exploits. It's not and never will be.

If users click on unsolicited links in email, visit unsafe sites, and so on the chances are malware will get through. That's why "social engineering" techniques are used so often--they work because people do stuff even when they know they shouldn't.
--
Don't feed trolls--it only makes them grow!


slajoh01

join:2005-04-23

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

said by slajoh01:

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.

Good idea, provided everyone has 2 PCs.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by jaykaykay:

Good idea, provided everyone has 2 PCs.

I have three plus a tablet and a Windows Mobile device. Now I'm confused as to what to use
--
Don't feed trolls--it only makes them grow!

OZO
Premium
join:2003-01-17
kudos:2
reply to StuartMW

said by StuartMW:

Well I think the problem with that article is that they missed/ignored the most important factor--the humans.

The assumption is that hardware/software, by itself, is sufficient to stop all exploits. It's not and never will be.

If users click on unsolicited links in email, visit unsafe sites, and so on the chances are malware will get through. That's why "social engineering" techniques are used so often--they work because people do stuff even when they know they shouldn't.

I agree. Human is the most important part of security. Computers are made to obey them, at the end... Thus, education, how to run them safely, is the key.
--
Keep it simple, it'll become complex by itself...

graniterock

join:2003-03-14
London, ON
Reviews:
·WIND Mobile
·TekSavvy Cable

1 recommendation

reply to slajoh01

said by slajoh01:

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.

It would reduce risk but even that wouldn't be fool proof. You'd have to apply those rules to all the computers on the network. It all boils down to the level motivation and resources of those that want to get in. (Think of stuxnet).

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to OZO

said by OZO:

Human is the most important part of security. Computers are made to obey them, at the end... Thus, education, how to run them safely, is the key.

^^ This ^^
It is all about education, understanding the risks, and understanding how to mitigate those risks. Basic secure computing steps are at least 80%.
said by Snowy:

The thread title reminded me of this recent thread 'how to ensure PDF file viewing does not "call home"' where firewall rules were often mentioned as a cure/fix.

Firewall rules will often prevent a call home function but it's not guaranteed.
It's just a layer.

Exactly. It all depends upon the level of concern or paranoia and the risks involved.

That thread is not particularly a good example since it involved prevention of a PDF reader from reporting usage statistics. The effort to ensure that detail gets sent, independent of reader and irregardless of protective measures, is not worth the benefit of the data obtained. Basic firewall or sandbox methods are likely to be very effective in this case.

For those extremely paranoid or concerned a dedicated PC that never has any network connectivity is a given. For those trusting in the technology a simple VM may suffice but for the truly untrusting a dedicated standalone physical PC would be in order already and such a question would not even be asked.

The old adage that the most secure computer is one that can never be used continues to apply. If you treat every risk as the utmost highest priority you will (a) worry yourself to death and (b) spend a significant amount of time avoiding threats that don't realistically exist.

Using the referenced thread as an example: Even if I were still the most paranoid person such that I was overly concerned that a PDF I downloaded from the internet would "call home" to report every time I read it, that would not change the fact that my download of said PDF was already recorded and likely tracked. The time I would spend to copy that PDF to a portable device and then to a standalone PC would be potentially wasted effort.

Now, if this involved confidential document/information, or any type of PII (Personally Identifiable Information) the risk would be higher and said measures may be appropriate. The OP in that thread did not make this distinction so this is unknown.

Proper education on secure practices, understanding the risks involved, and taking appropriate action based on those risks is indeed the key. I know many people that refuse to do any commerce (even amazon) or banking online yet do not own a paper shredder and think nothing of throwing bills, statements, etc in the garbage intact. I have not disposed of one sheet of paper that had a name, address, or any other PII without shredding in almost two decades and have been regularly questioned about why. Education is truly the key.

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

said by Shady Bimmer:

For those extremely paranoid or concerned a dedicated PC that never has any network connectivity is a given.

You forgot the 'Tempest' room that the computer is located in.

slajoh01

join:2005-04-23

One of the security layers to keep in mind are monitoring and keeping audits inside your networks.

My most major concern are the users inside a network and not some hacker outside the network. The odds are much lower if someone outside of a network hacks in to your data. The real danger are the insider threats, and yes, I mean the users themself sitting behind the machine.

One of the things we can do, is a "scare tactic" that we gotta let them know were monitoring and keeping an eye on you whatever they do on a network. Hopefully that will send a clear message.