Yup. It all depends on your level of paranoia, how much you want to live in fear, and how much you want to make daily operations a pain in the a$$ for the end user in the name of security.
I worked at TriWest Healthcare. They stole the disk drives. Another company in Scottsdale they stole the servers. At the Mayo, they bought some PCs with that kind of clamshell design that was supposed to make it fast for techs to work on. We found several with their HD missing. USB drives are getting bigger, cheaper and smaller. You can buy USB watches. Unless you're shutting down all USB devices, not hard to grab entire databases. How long do you allow your PC's to sit idle before the password protected screen saver kicks in? You want paranoia try working in an environment where many of the "employees" are wearing orange. From: Don Ely [mailto:don....@gmail.com] Sent: Thursday, January 06, 2011 10:00 PM To: NT System Admin Issues Subject: Re: AD and firewall ports Kurt, If someone wants your data, they WILL get it. It's not a matter of IF, it's a matter of WHEN. People WANT the governments data, without absolute sneaker net, it is nearly IMPOSSIBLE to protect completely. There will always be a hole somewhere no matter how secure the environment is. It's all a matter of risk and the cost to mitigate the risk. There are fundamentally secure ways to accomplish what has been asked. Is it a perfect solution? Maybe not, but it is doable. You are a talented IT professional, but I think you may be living in the IT fantasy land... On Thu, Jan 6, 2011 at 8:41 PM, Kurt Buff <kurt.b...@gmail.com> wrote: On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <k...@adopenstatic.com> wrote: > Hi, > > Then you should turn of all your computers, encase them in concrete, and > launch them into outer space - and into the Sun. That is the best way of > stopping anyone compromising one of your machines. Got to love the straw man argument. > Having a non-domain joined SQL Server in your DMZ is far less secure than that. Than what? Launching it into the sun? You conveniently ignore that I said "when you know there are better ways", and the > Hint: go and read some books on security first. *All* security is risk mitigation. > For example: that's why we still have passwords that are only "x" characters long, > rather than "x + 1" (where x is any number less than infinity). I have read security books, and keep up with Full Disclosure, FW Wizards and several other lists, as well as monitoring isc.sans.org <http://isc.sans.org/> . And you exaggerate again. We have passwords that are 'x' characters long (I tend to use 20+ character passphrases myself) because the effort to crack them is, so far, infeasible, due to the lack of rainbow tables of the size necessary to do so, and the lack of time to brute force them before I change them. If firms (such as my own work, I'll admit) are so foolish as to ignore this limit, then they will likely suffer for it, and deserve to do so. > Everything in security is about: > a) analysing what risks you face, > b) working out what the likelihood of it eventuating > c) working out the cost of the likelihood eventuating > d) working out the cost of making the risk go away > e) working out whether it's cost effective to implement (d) given (a)(b)(c) It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, "risk mitigation" is a mantra that has gone way too far, in the relentless pursuit of cost and effort savings. The above recommendation to turn a firewall into a safe passage for intruders is a prime example. > That is why a national government has a far more secure, cumbersome network > than your average business. Because the risks are different. Oh, yeah - that's worked out well, hasn't it? I believe you have that problem by the wrong end of the stick. National government networks are more cumbersome, and not more secure, in the main. That's because they're, wait for it, run by bureaucrats. They danced the risk mitigation dance, and we got wikileaks, infected thumb drives, virus infestations on supposedly secure networks, and all manner of silliness. > That why we don't all blithely implement the same way of doing things. Because doing > things *costs* money (whether that be products, convenience, productivity etc) And doing them intelligently costs less money than doing them stupidly. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
