1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Came across the following

Discussion in 'Computer Security' started by Josiahb, Mar 16, 2010.

  1. Josiahb

    Josiahb Gigabyte Poster

    1,336
    39
    97
    Via email, an interesting take on the subject of user education into security issues:

    http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036

    What are peoples thoughts/experiences of this topic?
     
    Certifications: A+, Network+, MCDST, ACA – Mac Integration 10.10
  2. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I can agree with his core idea that you can go overboard with security, and some of his points are valid. But I just shake my head and laugh at some of his arguments. For example, he says that users don't see any benefit to security, but they see the costs. True, but all he has to do is ask someone who has been negatively affected by malware or identity theft if they feel that some level of security is necessary. And it's not like those people aren't out there... just about everyone I know has been affected one way or another.

    He often makes the argument that users shouldn't take the time or bear the cost to implement or learn certain security procedures because it cannot be guaranteed that they will be protected. By his same logic...

    ...a car owner shouldn't change his oil because it's a constant, ongoing expense, with no visible, tangible benefit. If you don't change your oil, you're more likely to blow your engine. You won't DEFINITELY blow it... especially if you rarely drive and stay on low-speed back roads. But you're MORE likely to if you drive 30,000 miles between oil changes driving 80mph down the highway.

    ...a person shouldn't buy insurance because it's a constant, ongoing expense, with no visible, tangible benefit... at least, not until you're affected. If (or usually, when) you become affected, you'll wish you had it.

    Security is the same. Reasonable steps should be taken to secure a computer, and I *think* the author and I agree on that part. Sure, we could change our oil every 50 miles or take out a $10M insurance policy, but at what cost?? There's no reason to go that extreme. However, we shouldn't just say, "You know what? This is too complicated or expensive; I'm not gonna do it at ALL." That's just asking for trouble.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Some interesting points.

    On the subject of passwords, because of an MOD contract, we are required to change out passwords every 5 weeks. Its an absolute pain in the arse to be honest. I'm one of the good ones, and try to think up different passwords every time, but its becoming unfeasable to do so. Ergo, every 12 cycles, when the policy resets, I start from the start again. I happen to know people who have it written down, and other people, who are just working their way through the alphabet (aaaaaaaa, bbbbbbbbbb). Couple the change policy with a 9 character limit and its just really useless to be honest.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  4. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    265
    6
    41
    Changing a password every 5 weeks would annoy me, would most likley end up using a passphrase if it was that often.

    Edit - Just seen the 9 character limit, ouch
     
    Last edited: Mar 16, 2010
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297
  5. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Yep - this is one of the author's points that I agree with. Having mandatory password changes doesn't add much value. Starting out with a complex password is a reasonable step.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...