Subject: Security issues From: "Curt A. Monash" <0006058685@mcimail.com> Date: Sun, 9 Jul 95 08:40 EST
How the Web Was Won
Subject: Security issues From: "Curt A. Monash" <0006058685@mcimail.com> Date: Sun, 9 Jul 95 08:40 EST
Message-Id: <34950709134043/0006058685NA1EM@MCIMAIL.COM>
Sender: owner-online-news@marketplace.com
Precedence: bulk
Status: O
X-Status: 

MIS departments get very confused about "security", because it actually
refers to a number of different problems:

1.  Accidental data corruption by thoughtless end users.
2.  Theft of confidential information (by insiders or outsiders).
3.  Deliberate sabotage (by insiders or outsiders).

#1 is one of the biggest issues in transaction processing, but doesn't
really belong under the heading "security".  

#2 is overblown.  As one of my consulting clients at a security-obsessed
Swiss Bank put it, "If the solution costs more than $X (X was a five-figure
number), who cares?  For that price somebody could corrupt one of my
clerks."

Thus, the only real Internet-related security issue that matters is
deliberate sabotage by outsiders.  I know Wall Street trading operations
that are just as paranoid as the newspapers Dominique and others describe. 
I'm just guessing, but I think the reason is the same:  They have very
real-time operational needs.  If the system is shut down for a couple of
hours by sabotage, that might be the difference as to whether we get all of
today's work done or none of it (I'm oversimplifying, but the point is that
ANY successful act of sabotage could be a disaster).

That's a valid concern. But the high-powered firewalls are in the wrong
place. They should be around the "production" system, internally, not at the
corporation boundaries.  Let people still get information across the
Internet.  It boost their efficiency enough so that, if you lose the network
a day a year to security problems, you've still had a big net efficiency
gain for the year.  However, if you lose the layout/typesetting system a day
a year, Internet access may NOT be worth that price.

That doesn't mean you shouldn't have good security everywhere in your
company.  Just don't panic over the fact that it isn't perfect.   Direct
hacking attacks could still be a pain; at least make them difficult.  And
put in sensible defenses against viruses, too.  (One of my favorites for
programming types is:  If somebody sends you source code over the Net,
compile it on a machine outside the firewall.  That will flush out most
viruses -- and code is of course where viruses are most likely to live.)

Curt Monash
Chief Risk Assessment Officer
Monash Information Services  
cmonash@mcimail.com


From owner-online-newspapers@marketplace.com Sun Jul  9 13:05:08 1995
Received: from marketplace.com (majordom@marketplace.com [199.45.128.10]) by cnj.digex.net (8.6.12/8.6.12) with ESMTP id NAA09291 ; for ; Sun, 9 Jul 1995 13:05:06 -0400
Received: (from majordom@localhost) by marketplace.com (8.6.12/8.6.12) id KAA28975 for online-newspapers-outgoing; Sun, 9 Jul 1995 10:26:31 -0600
Received: from ns.onramp.net (ns.onramp.net [199.1.11.2]) by marketplace.com (8.6.12/8.6.12) with ESMTP id KAA28970 for ; Sun, 9 Jul 1995 10:26:29 -0600
Received: from .onramp.net (turnpike19.onramp.net [199.184.212.147]) by ns.onramp.net (8.6.5/8.6.5) with SMTP id LAA00609; Sun, 9 Jul 1995 11:22:37 -0500