> With this being the state of the art in protection, why bother with
> intercepts, cryptoanalysis etc?
Why try to protect your information if someone is eventually going to
discover it? Like so many things in life, the game of security is based
on the probability of a certain event occurring and what you can do to
reduce the probability of occurrance.
A student came up to me after a security course the other day, and asked a
simple question: How do you determine information security?
I told him something that sounded good at the time (sounds wordy now) -
The level of information security you can achieve is based primarily
on three factors:
1) How large your funding is.
2) Who you ticked off.
3) How large their funding is, and how motivated they are.
That's a funny thing to come out of the mouth of a security analyst, isn't
it? But it's absolutely true in my opinion. The best way to not have
people pickpocketing information from you is to keep a low profile and not
do things to make Folks With Deep Pockets(tm) mad at you. Now, I'm not
suggesting you go live out in a cave somewhere - Theodore Kaczynski
learned that information security through obscurity just doesn't work
after you annoy the good folks at the ATF and FBI.
It's been said before - there is no such thing as complete security nor
privacy, whether electronic or physical. Everything in security is
relative; most people in the public would define their level of
information security as how many locks on the front door, or how
well-tested the intrusion detection system is, or perhaps which vendor
developed their firewall software.
I flip that on it's head and say it is the opponent (intruder) who
determines your level of security, not any barriers you quickly throw up
in their path. If one untrained man is trying to get into your castle,
a closed door with one lock may suffice. If a herd of elephants with
Hannibal and his troops atop are charging your door - well, you should
find a good pair of jogging shoes and a large pot of coffee.
The situation today is that we have a lot of products and methods that
work well for one line of defense but not another. In the case of
computer security, you really need an adaptive solution that combines
various techniques during an attempted breech and raises the bar as the
attack intensifies. A single technique or technology is just
not going to cut it with a sophisticated intruder. If you choose a
single-track solution, be prepared to fight off a pack of lions with
a toothpick.
Dan
