Friday, December 29, 2006

Lessons from Analog Security

As a security person I try to take notice of security measures in non-digital settings. These are a few I noticed this week.

  • When visiting a jewelry store, I saw a sign say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following: "Our insurance policy does not permit us to remove more than one item at a time from this display case." This sign was attached to a case containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 store's most valuable jewelry. This is an example of limiting exposure by restricting access to one asset at a time. In a more generic sense, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital version might involve following guidelines applied by an insurance company. Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would require WPA2 for wireless networks, etc.

  • I received a check from a client. Underneath cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 signature line I read "Two signatures required for amounts over $75,000." This is an example of dual accountability. It requires someone writing fraudulent checks to have an accomplice. The digital version involves requiring two privileged users acting togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to accomplish a particularly sensitive task.

  • At many stores I saw video cameras directly above cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cash register. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se might be useful for recording thieves, it is probably in place to deter employees from stealing. The digital version is comprehensive host- and network-centric monitoring.


I think one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fundamental problems of digital security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inability to translate historically sound analog security practices into digital forms. Traditional computer scientists are not security experts. Traditional security experts are usually not computer scientists. Addressing this gap would be beneficial to both communities.

Can you think of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r examples of security measures in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analog world that could be applied to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world?

2 comments:

John Ward said...

Issues like this can typically be addressed during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design phase. While software development lifecycles are typically things held in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classroom and not on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 floor, this is something that should be discussed during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design phase. Problem is, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design phase never includes an open discussion with security engineers. This is where that gap would be addressed. When designing things like sequence diagram, a development team, including security engineers, would address and notate that secure methods are required at points A, C, and F.

it would be nice if that gap could be addressed, of course cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bigger problem is that software developers usually skip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design phase and go at it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Shoot first, shoot again, and try asking a question or two when finished shooting". Computer scientists needs to address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gaps in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own community before trying to bridge any gaps with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs...

Anonymous said...
This comment has been removed by a blog administrator.