On Mon, 14 Oct 2002 Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Tue, 15 Oct 2002 11:06:09 +1000, Benny Nasution
<bnas3(_at_)STUDENT(_dot_)MONASH(_dot_)EDU> said:
Security always needs to be increased to reduce threats and risks, but
these threats and risks are the ultimate ęsource of information about
the quality of its ability. Therefore the better the security is
developed the less information you will get about how to improve it.
Proper auditing and instrumentation will tell you what's being *attempted*.
Also, note that security is a *process*, and involves making trade-offs.
For instance, my network has well over 30K hosts on it. Even if I manage to
make 99% of them totally hack-proof, I need to expect an average of 1 host
to be hacked *every day*. Yes, I could probably harden it so 99.9% were
You know something. In an earlier message someone mentioned the title
"security expert". I think considering what we know of security on the
internet that the term "security expert" is an oxymoron. Security experts
are essentially crisis managers. And every firm should have one.
regards
joe baptista