Re: Data Encryption on TurboImage/MPE

What has changed:
- Internet: easy access to computers world wide for malware, and
networking for blackhats.
- PC: software (malware) development platform available to hundreds
of millions of people.
- Windows: the swiss cheese of operating systems, or a legal drug
pushed by many dealers!
- Growth: amount of data online far outstripping supply of top
computer professionals.
- Complexity: interconnected systems becoming more complex,
multiplying Growth problems.
- Information: valuable commodity, most valuable and vulnerable at
your finger tips.
- Dependence: businesses becoming more dependent on IT every year.
- Mobility: infected mobile computers re-attached to internal networks.
- Legal: haphazard and intentional compromise of business IT assets
come with increasing legal consequences.

Mixing shipping and HR information would show a gross lack of 'due
care' which has legal implications.

Encrypting data is a tool. Misapplying the tool falls under 'due
care', and not having proper and/or approved procedures in place to
safely use it falls under 'due diligence'.

The courts seem to be becoming the "school of hard knocks" for IT and
executives alike as most consider security in a heavily networked
society: annoyingly time consuming and complex; and/or are blissfully
ignorant of consequences; and/or "will cross that bridge when they
come to it".

The world has changed a lot in 60 years, and at an increasing rate.
Adaptability is essential to survive. The days of multi-user text
interface database servers connected by simple serial lines to dumb
terminals is gone. Even when client/server systems begin to look like
the old dinosaurs, the invisible underlying functionality and
complexity is increasing dramatically. This hidden complexity needs
to be secured. With worldwide high-speed broadband interconnectivity
increasing at a rapid rate, the bad guys are probing for holes in this
ever increasing complexity of our interconnected systems, making our
systems harder and harder to secure.

Most of the government systems with highly sensitive information or
functions are disconnected from networks, or connected only to
internal highly secured and controlled networks. No way to guarantee
their safety if connected to public networks. Business depends more
and more on interconnectivity every year . Therefore, risk analysis
is essential, even if it boils down to just purchasing insurance
policy to cover a vulnerability.

Pete


On 7/13/07, Tracy Johnson <tmjva@xxxxxxxxxxx> wrote:
I just find it funny that all of a sudden after 60 odd years of computers there is
a sudden need for encrypting data where it resides. It still begs the question of
lack of access control.

If the hypothetical HR Dept. has its data on a host, and the hypothetical Shipping
Dept. has access to HR's data, what kind of access control is that?

I recall upon receipt of my set of rainbow books in the early 1980's and a
discussion of the (then theoretical) "Class A1" trusted information system holding
the highest levels of classified data:

"A blackboard with something written on it can be a Class A1 trusted information
system. All you need to do is put it in a locked room and have users sign in and
out at the door where the armed guard is."

Taking away the armed guard and lowering the Trusted Criteria a bit, what I
understand is being wanted here, is to require users to decode gibberish written
on the blackboard AFTER they have already been let in!

If you see my point, it is far more practical, (if not as efficient) to encrypt
data as it is being transmitted, to and from a host and decrypted upon receipt.
If a key is lost, you may always transmit again using a new key.

There is also additional risk if the data is encrypted on the host. If you've
lost the key, you've lost everything.

Encrypting data at the host DOES have it's uses. On a PC where there is no access
control and the hard drive can be compromised easily, such as at home, or in
airline baggage, host encryption makes sense and the user counts on it. But that
user also runs the same risk if he forgets the key.

I think the key here are differences between multiuser hosts and PCs. The line
became blurred when they starting using PCs as multiuser servers and basic
concepts of security became lost.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

.

Relevant Pages

  • Re: A question for the list...
    ... lower than a level you'd need to launch a counter attack. ... On the Internet, a packet must pass through many networks, and ... misses and takes down an unintended host or router, ... > that are enforced to protect WLANs from known vulnerabilities and threats. ...
    (Incidents)
  • Re: A question for the list...
    ... > virus infections that have affected networks and hosts. ... > attempts to remove the virus from the host. ... > response, ... > enterprise WLANs. ...
    (Incidents)
  • RE: A question for the list...
    ... lower than a level you'd need to launch a counter attack. ... On the Internet, a packet must pass through many networks, and ... misses and takes down an unintended host or router, ... > that are enforced to protect WLANs from known vulnerabilities and threats. ...
    (Incidents)
  • A question for the list...
    ... to virus infections that have affected networks and hosts. ... attempts to remove the virus from the host. ... I have read the reports correctly, ...
    (Incidents)
  • RE: A question for the list...
    ... What is being done with respect to Fizzer is rather different from "engaging ... opportunity to cause the virus to elegantly commit suicide; ... virus infections that have affected networks and hosts. ... attempts to remove the virus from the host. ...
    (Incidents)
Loading