General discussion


Is Internet security more about asking questions than finding answers?

By debate ·
Do you agree with Jonathan Yarden that it's sometimes more important to ask the right questions about security than it is to find the answers? Does your organization follow this philosophy, or does it assume the security precautions in place are sufficient? Share your comments about the importance of questioning your organization's security strategy, as discussed in the March 7 Internet Security Focus newsletter.

If you haven't subscribed to our free Internet Security Focus newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by Jaqui In reply to Is Internet security more ...

if the questions aren't asked, then there is not security.

you have to question the security level of any system that is connected to another.
doesn't matter how well the question is answered, just by asking and checking you find holes and fix them.

Collapse -

Questions are a must

by wbaltas In reply to Is Internet security more ...

The number of security holes that are discovered on a daily basis require that questions be asked. Anyone who has the job title of security officer has to ask questions and getting answers to these on a regular basis.

Collapse -

20 questions?

by david_heath In reply to Is Internet security more ...

Anyone can ask questions... it often takes a very smart person to answer the questions of the silliest questioner.

But also, the smartest people often ask the toughest questions.

The more you understand security, the tougher you can quiz the practitioners.

Collapse -

It's also about people interaction

by JayGee21 In reply to Is Internet security more ...

All large services such as this one now rely totalling on "hands off" interaction with their clients. As an example have you TRIED to call your bank lately? For security purposes for companies such as those that sell id information and other secure information; it should be mandatory to talk with a live person first before issuing clearance. That is where asking the right questions would be done. If you have ever connected with one of these information houses you will be directed to fill out their on line form. That's it.. your connected.

Perhaps we trust too much that what is stated is fact.

Collapse -

when they call you...

by david_heath In reply to It's also about people in ...

what amuses me most is when a bank or Govt department calls me... first thing is they want be to prove who *I* am.

Hang on, *you* called me, how do I know who *you* are??? There's no way I'm going to prove my credentials to someone *claiming* to be from XYZ organisation.

then I hang up.

Collapse -

The ONLY answer

by AnswerMan In reply to Is Internet security more ...

The only answer is "thumbprint verification" or "retina scan" verification..... Unless someone hacks the authorized individuals digit off, well then.... that's a movie of the week, isn't it?

Collapse -

nobody uses retina scan

by david_heath In reply to The ONLY answer

Hopefully you mean iris recognition, because I don't know of any widely deployed retina projects. Also, there is no 'scanning' involved. The iris recognition system simply grabs a phto of the front of the eye.

Also, most fingerprint systems have a variety of liveness tests built in. A severed finger generally won't work.

Regarding movies, watch closely - it's only the A-grade stars (Tom, Arnie etc ) who can defeat the biometric system, everyone else is forced to use t properly - doesn't THAT tell you more about the general robustness of biometric systems? ~smile~

Collapse -


I was wondering where you got the statistics about 750 incidents? Can you supply the source for this information? Just in case you're curious, no, I don't work for or with any of the companies involved.

Collapse -


by winkyx In reply to Statistics?

Evaluation of any security scheme is an ongoing process. To think otherwise is patently insane. Personally I have found that the questions that come up when discussing security options or effectiveness of current processes are far too specific. Organizations tend to focus on their current practices and enforcing compliance as opposed to focusing on the effectiveness of those practices themselves. By using set scenarios with set answers they often run the risk of beating a dead horse instead of buying a new tractor. The same idea applies to finding gaps within a current system. Instead of starting with the internal controls of hardware and software vulnerabilities, it is often more productive to begin with the front line employees (front line does imply first line of defense after all). Beginning with a simple documentation of their everyday actions and the implication of those actions as relates to the internal controls, it is easy to build a case for points of possible vulnerabilities. A simple point would be at the point of data transfer. Where did it come from?, How do we know? Where will it be written to? How many places and where? How will it be accessed? Where is it backed up to? Obviously, verification of the data itself is a whole 'nother flow chart. Suffice to say, it is often business practices themselves that end up being altered. The desire to make it "easy" for the customer to access or interact with a company, or even to make it easier for employees to do their jobs, is a pitfall that many businesses encounter. Lost customer confidence, legal fees, and SOX/HIPAA involvement are seldom seen as a deterrent until too late.

Collapse -

Of Questions and Choicepoint

by tagmarkman In reply to Is Internet security more ...

Asking the right questions will only get you so far. I've asked the right questions at companies in which I have worked. We even have answered many of those questions with a more-than-likely correct answer. However, unless they are implemented and tested, it's fairly worthless in terms of protection. These solutions have to be weighted and econmonic, among other factors, play a part in its priority.

It's not about whether questions or the answers or the implementation is the most important. What is important is that a sincere and continuous effort is being make to make the system and data secure while reducing customer inconvenience in a cost-effective manner.

Using Choicepoint to make your point is pushing the limit of responsible action. Choicepoint was not hacked. False companies were created. These companies had the correct information. Following Choicepoint's method of verifying companies were validated by Pingerton's security audit. In other words, Choicepoint is just as responsible for company verification as Verisign is about their Digital Signatures.

Choicepoint allowed access to this data as they do to all qualifying clients. The difference is that the company that was given this data used it in an act of fraud. When this was discovered, the criminals were deal with and the problem could have been swept under the rug like too many security issues.

However, the state of California requires a letter to be sent to each of the people in question. This is why it hit the news, thousands of people were getting this letter and it caused a good bit of chaos. I doubt asking the right question would have prevented this issue.

Related Discussions

Related Forums