-----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: On the subject of security...
>>> No running executables from untrusted sources, turn off scripting in >>> my browsers, view all email as plain text, no remembering/caching of >>> passwords in browsers, using a unique password per web site and per >>> other accounts, regular clearing of cookies, no linking of accounts >>> between web sites, running current AV, no browsing with elevated >>> accounts, laptops have full disk encryption, etc., etc., etc. >> >> Without an evaluation of risks, this would be a complete waste of time for >> most people IMHO. > > Sure - if you don't browse the Internet, share USB sticks, etc., you probably > don't need to do those things. But I do browse the internet, and I do share USB sticks. Yet I don't do most of what you list above. Everything is about /management/ of risk, not 99.99% avoidance of risk. Just as people don’t live in impenetrable fortresses, and keep their money in Fort Knox, it's not actually necessary (or even desirable IMHO) to do some of things you do to have an acceptable level of risk. The marginal benefit from each additional step you are taking vs. the cost to usability and time taken isn't worth it (again, IMHO) >> I run as an admin on my personal machine. I don't bother reading all mail in >> "plain text", >> and I don’t full disk encrypt all my machines, and I don't clear my cookies. >> I've got better >> things to do with my time, and if I focus on protecting my identity and data >> instead, I'm >> probably just as likely as you to be "safe". >> > So, care to share how you protect your identity and data without any > technologies or processes? Let's be clear - I'm not saying "I have no technology, and my strategy is to rely on magic". I start by worrying about what my family needs/wants to be able to do, and then what apps and data we need to do it, and then work out what the threats/risks are. You can draw a parallel to business -> info -> technology architecture from TOGAF or similar framework if you want. Malware and hackers getting into my home network is probably about half-way down the list at the moment. Additionally, instead of inconveniencing end users with restrictions on either user experience, I want technology to work in the background to protect us (if possible). So, we use 802.1x for our wireless since we're all on an AD domain, and SOHO APs all support it now (there's a guest wireless network for visitors), and I use centralised malware scanning on the Exchange server. I'm researching some options for outsourcing the malware/junk scanning for incoming (it's a pity that Postini doesn't seem to be available anymore) But things I worry about more are hardware failure, lightning strikes (had two of those in two different homes), being burgled, having a fire or something else similar that destroys things. The information I worry about protecting isn't just what's electronic/digital, but also paper records, passports, birth certificates and so on. So, it's starting from a different starting point. It's not starting from "you should encrypt your disk, delete your cookies, run as a non-admin". It's starting from "what types of critical/important/throw-away data do I have in order to live/work/interact with friends", and then what are the risks to that data, and what can I do about it. And weigh all that against usability So, I'm not particularly worried about someone getting access to the password for the media centre PC's default user account. I'm more worried about that account somehow getting logged out, and whoever is using our media centre not being able to log back in again. I mitigate the risk of people knowing the password doing something bad by restricting what that account is allowed to do. Likewise I want to be able to share things with my family overseas, bank online and do various other things - at the same time without impacting my user experience significantly, so I take other measures to help reduce risk: I get notifications for purchases on my CCs over a certain amount. Most of my banks require (or at least offer) 2FA for authentication now. Etc. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin