Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Botnets & Earth Day: A Common Solution | Main | When will Google get into Security? »

Effective Security Can Be Simple (sometimes)

Yesterday I advocated for a simple approach for controlling botnets: turn off your PC. It's simple and even the least technical user can handle that one. Mike Knight, an IT consultant in the UK, has a similar keep it simple approach to phishing. His basic principal: “if you can’t do it securely, then don’t do it at all.”

Knight goes on to say:

Given the limits of email right now (including SPF and such), it is impossible for the average user to know whether or not a specific email is legitimate or not. Sure, www.ebay.com is easy to verify, but is www.myebaysecurity.com also legitimate? Should I click on the enclosed link? SPF, rDNS, and everything else can confirm that that IP address is legitimately assigned to that name.
So, the easiest solution would be to not send email with links. Yes, I am aware that this will mean the end of the cute HTML email ads that you send/receive. That’s the part about “if you can’t do it securely then don’t do it at all.” There’s no use in crying about what you can’t do if you can’t do what you want to do in a secure fashion.

Sound harsh? It is. Look, when a convenient technique is easily comprimised we have to weigh the risks and benefits. Sure skydiving is fun if you have a parachute and suicidal if you don't. When it comes to using links in emails we, we don't have adequate parachutes right now and it is going to be a while before we get them.

Lets face it. The bad guys are getting very good at what they do, they have a lot of advantages in the back and forth of the on going hack-and-patch approach to security. We need to change the rules of the game. Simple steps, like turning off a botnet riddled box at night and not using links in emails, need to become part of how we operate.

By the way, Realtime Publishing just announced Volume Two of The Essentials Series: Messaging and Web Security. It's a compilation of security articles covering topics like:

• New techniques for detecting spam
• Reducing the threat from phishing attacks
• Detecting and eliminating bots
• Mitigating the threat of spyware
• Security information management in small and mid-sized businesses

Some of the articles are available now and others will be coming soon.

Tags:          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on April 24, 2007 6:52 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/284

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net